Chip-enabled debit and credit cards were supposed to end—or at least, reduce—payment card fraud for in-person transactions. Unfortunately, that doesn’t appear to have happened in the three years since the United States switched to using chip cards.
Of the more than 60 million payment cards compromised in the United States over the past 12 months, 93 percent had the new chip technology, research firm Gemini Advisory found in a report. The results come from telemetry data collected from various criminal forums and marketplaces where stolen credit card information are sold.
“Contrary to the prevailing logic, migration to the EMV did not eradicate the card-present fraud,” wrote Stas Alforov, director of research and development at Gemini Advisory.
The EMV standard (for Europay, MasterCard, Visa, the three companies that developed the standard) defines how to create an encrypted connection between the payment card and the point-of-sale terminal before transmitting payment card information. The idea was that attackers would not be able to capture track 1 and track 2 (name, account number, expiration date, or card verification code) data because the information was encrypted on the card’s chip. In the past, attackers were able to intercept the information from the card’s magnetic stripe and create cloned cards. Chip-enabled cards meant attackers wouldn’t be able to create fake credit cards.
The idea was that the shift to EMV-enabled chip cards would shift payment card fraud to online transactions and other situations where the physical card was not being used. However, the Gemini Advisory study found that 75 percent of the stolen U.S. cards were obtained during in-person (“card present”) transactions, compared to the 25 percent from card-not-present transactions. Of the card-present transactions, 90 percent were chip-based cards.
How Can That Be?
It turns out many merchants still have customers swipe the card on magnetic card readers to capture payment information instead of using the newer chip-reading technology. Criminals who had compromised the point-of-sale machines with card-skimming malware or tampered the physical readers with card-skimming hardware could intercept the payment card details from the magnetic strips when the cards were swiped.
“There are numerous merchant locations that are still asking their customers to swipe rather than use the chip-insert method, thus completely neglecting the EMV security features,” Alforov wrote in the report.
The stolen card details could be used in card-not-present transactions or used to create cloned cards. Those fake cards can then be used as part of in-person transactions, since the U.S. system kept the magnetic stripe as a fallback mechanism. If the chip cannot be read (because the chip is defective or the reader is not working), the card can be swiped.
Merchants may still be relying on the older and insecure magnetic stripe readers because buying the chip readers and upgrading the point-of-sale software can be fairly expensive, “upward of several thousand dollars,” Gemini Advisory said. The high cost may have deterred small- to medium-size businesses from making that investment, but that decision may wind up being a costlier one.
As part of the shift to chip-enabled cards, the four major card processors—Visa, MasterCard, Discover, and American Express—decided to shift the liability for payment card fraud onto merchants if they did not use EMV-compliant payment systems. While there was no penalty for merchants that didn’t make that switch, if they had been hit by a card breach over the past three years, they were the ones responsible for the fraudulent transactions.
U.S. vs World
The United States was the last of the G20 countries to adopt the EMV standard, and Gemini Advisory’s data shows that the problem isn’t with the implementation, not the standard. Over the past 12 months, about 15.9 million payment cards stolen from non-U.S. consumers were available for sale in criminal marketplaces compared to the more than 60 million U.S. cards. The majority of the stolen non-U.S. cards were from card-not-present transactions—11.3 million.
It was “evident that EMV implementation has successfully made its impact in most countries outside of the U.S.,” Alforov wrote.
Criminals look for the path of least resistance, and would be more likely to reuse their existing techniques as long as they work. Gemini Advisory predicted that criminals would shift towards small to medium sized businesses (having 10 to 50 locations) to steal credit card information.
“[Such] businesses are less likely to have fully implemented the EMV transition, criminals would be able to rely on their current [strategies] for card data exfiltration,” Alforov said.