Chip-and-PIN cards are here to stay in the U.S. — despite some pushback from banks and retailers alike. While the switch means better protection for consumers and companies at point-of-sale (POS) terminals, there are new security threats on the horizon as scammers shift their efforts from brick-and-mortar stores to online transactions and more aggressive chip-and-PIN fraud. Here’s a look at the new face of credit crime.

Clear and Not-Present Danger

Looking for evidence of new fraud formats? Start with the U.K., where chip-and-PIN cards, also known as Europay, MasterCard and Visa (EMV) cards, have been the retail standard for more than a decade. According to Wired, cybercriminals have moved away from POS terminals to target online shoppers by leveraging the inherent insecurity of card-not-present transactions.

By compromising user profiles or accounts online, attackers get access to stored credit data and personal information, which they then use to make purchases that don’t require a physical card — anything ordered online or over the phone, for example. So long as they provide the right credit type, number and name on the card, there’s nothing else to stand in their way; no signatures or PINs are required.

The numbers don’t lie: Between 2004 and 2014, the volume of card-not-present (CNP) fraud rose from 30 percent to 69 percent of total credit transactions. CNP losses are on track to reach $7 billion in the U.S. by 2020. With online shopping quickly ramping up, those loss estimates may be conservative.

The trend should come as no surprise. Criminals have shown a willingness to adopt and pursue valuable credit data, no matter how security professionals try to keep it safe. First, attackers grabbed card data stored on local servers, then tried to intercept the data in transit or at POS machines directly. The move to chip-and-PIN hasn’t defeated their efforts — it simply shifted their focus to a new location.

Old Tricks, New Tactics

Attackers are also looking for ways to exploit existing problems and uncovering new options for chip-and-PIN fraud. According to CNBC, for example, some criminals are looking to exploit the magnetic stripe data they already have by selling it online or using it at POS machines that haven’t been upgraded to use chip cards. Others are doubling down on application fraud to open new credit accounts and defraud victims using physical cards that still rely on magnetic stripes and signatures. The result is approximately $14 billion in fraud before the switch to EMV is complete.

Despite the fundamental security improvements offered by chip-and-PIN cards, security experts have already discovered ways to compromise these cards and defraud victims. According to Ars Technica, researchers from ATM hardware provider NCR Corporation recently demonstrated two EMV breaches at this year’s Black Hat conference.

First, they showed it was possible to hijack information from an external PIN pad and create a duplicate EMV card with altered Track 2 data. When presented, this new card convinces the POS system that the chip card is actually only mag stripe and reads it as such, bypassing the need for a PIN.

They also demonstrated how to compromise the security between PIN entry and POS terminals. This involved prompting users to re-enter their PIN or other data, which attackers could then grab and use to compromise future chip transactions.

Researchers from Rapid7, meanwhile, found that POS devices can be used to intercept one-time key and account data used by chip cards and then transmit this data to a compromised ATM. A second transaction is made with the compromised data, which causes the ATM to dispense cash from victim accounts. What’s more, it’s often possible for criminals to hide these ATMs in plain sight by placing “out of order” signs on them and then waiting for a convenient time to grab their ill-gotten gain.

The Future of Chip-and-PIN Fraud

Will the switch to EMV cards mean the end of credit fraud? Unlikely. Along with increased CNP crime, expect cybercriminals to embrace the challenge of chip-and-PIN fraud to compromise user data at the point of sale.

For retailers, the shift away from mag stripes is a reminder that security starts at home. Regardless of card type or credit issuer expectation, solid data protection from the POS to approval authority and back again remains the single best way to protect business interests and dodge the wrath of defrauded consumers.

Read the IBM X-Force research report on security trends in the retail industry

More from Fraud Protection

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…

What Are the Biggest Phishing Trends Today?

According to the 2022 X-Force Threat Intelligence Index, phishing was the most common way that cyber criminals got inside an organization. Typically, they do so to launch a much larger attack such as ransomware. The Index also found that phishing was used in 41% of the attacks that X-Force remediated in 2021. That's a 33% increase from 2021. One of the biggest reasons threat actors are increasing phishing attacks is that all it takes is one employee to make a…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…

NFT Security Risks: Old Scams and New Tricks

The non-fungible token (NFT) boom has also led to some serious security incidents. For example, the number of suspicious-looking domain registrations with names of NFT stores increased nearly 300% in March 2021. To participate in an NFT marketplace, you must have an active cryptocurrency wallet. This exposes NFT holders to new risks as attackers can find ways into your crypto wallet through your marketplace account. As we’ll see, threat actors have even infiltrated NFT marketplace OpenSea’s Discord server posing as…