Microchip Payment Cards Still Vulnerable to Exploitation
Chip-protected EMV payment cards are reducing in-person transaction fraud overall, but merchants have to be aware of new schemes involving the cards.
Although EMV cards provide greater security than traditional magnetic strip cards, an EMV chip does not stop lost and stolen cards from being used in stores, or for online or telephone purchases when the chip is not physically provided to the merchant, referred to as a card-not-present transaction. In some instances, criminals are shifting from in-store to online exploits, where the chip’s security features can’t be applied.
Fraud evolves at least as fast as tools to prevent it, and microchip cards are being attacked in new ways. In one scheme, hackers install a fake microchip on a card with compromised account data on the card’s magnetic strip.
Under the scheme, hackers try making a purchase by inserting the card into the chip reader. When that doesn’t work, they complete the transaction by swiping the card and transmitting the compromised data. This defeats the protection offered by the microchip, which is designed to verify the security of a transaction through encryption.
The danger is exacerbated by card network policies that shift liability for card-present transactions to merchants. If a customer uses a compromised card, the merchant may be responsible for the charges.
In other schemes, retailers report a growing problem with so-called “shimming” attacks where a small card-reading device (itself with an embedded microchip and flash storage) is installed in a compromised payment terminal. The shim then records data from the EMV chip and magnetic strip, which is then used to create a clone of the now-compromised card.
While the cloned card won’t have the full security protections of a legitimate EMV card, it can be used to make purchases that rely on a swiped magnetic strip.
With traditional credit cards, the magnetic strip on the back of the card contains static personal information about the cardholder. This information is used to authenticate the card at the point of sale (PoS) terminal, before the purchase is authorized. When a consumer uses an EMV card at a chip PoS terminal, that transaction is protected using the technology in the microchip. Additionally, consumers will be able to continue to use the magnetic strip on the EMV card at retailers who have not yet implemented chip PoS terminals.
When the card is equipped with a personal identification number (PIN), which is known only to the cardholder and the issuing financial institution, merchants will be able to verify the user’s identity. Currently, not all EMV cards are issued to consumers with the PIN capability and not all merchant PoS terminals can accept PIN entry. EMV transactions at chip PoS terminals provide more security of consumers’ personal data than magnetic strip PoS transactions.
In addition, EMV card transactions transmit data between the merchant and the issuing bank with a special code that is unique to each individual transaction. This provides the cardholder greater security and makes the EMV card less vulnerable to criminal activity while the data is transmitted from the chip enabled PoS to the issuing bank.
The FBI encourages merchants to handle the EMV card and its data with the same security precautions they use for standard credit cards. Merchants handling sales over the telephone or via the Internet are encouraged to adopt additional security measures to ensure the authenticity of cards used for transactions.
At a minimum, merchants should use secure servers and payment links for all Internet transactions with credit and debit cards, and information should be encrypted, if possible, to avert hackers from compromising card information provided by consumers.
Credit card information taken over the telephone or through online means should be protected by the retailer to include encrypting digital information and securely disposing written credit card information.