Just how safe is your chip card? Well, the answer lies in where you bank.
The small chip on your credit/debit card is designed to provide an extra layer of protection against malware trying to clone your card and access your account information. However, recent findings are showing that there has been an increase in malware attacks on U.S based financial institutions.
Traditional payment cards store all of their data in plain text on the magnetic stripe, this type of information can be cloned with anything else that possesses a magnetic stripe, therefore, it creates the perfect opening for hackers to access that information and place fraudulent charges. On the other hand, Chip-based cards use a technology called EMV and what that does is encrypts your account data stored in the chip. This type of technology uses a unique encryption key commonly referred to as “Cryptogram”, this allows it to generate new encryption each time the card is used.
Virtually all chip-based cards still have the same information stored in the magnetic stripe, this is mostly because many U.S financial institutions have not done a complete transition to it. While this dual function might appear convenient since it allows you to swipe your card whenever the card’s chip or merchant’s EMV is not working properly, it compromises the security encryption.
The beauty of the EMV security approach is that even if a malware is able to intercept your transaction’s information, it would only be valid for that particular transaction and it should not allow any perpetrator to commit fraudulent charges. However, for this system to work the back-end system of the financial institution has to check that when the chip is inserted only the ICVV (protects the data in the chip) is present and not the CVV (protects the data in the magnetic stripe) and if this doesn’t match it’s supposed to decline the transaction.
Unfortunately, not all banks have properly set up their system this way and it doesn’t come as a surprise that perpetrators have known about this weakness for several years.
Researchers at Cyber R&D Labs released a publication that details how they did a test on 11 cards from different financial institutions in Europe and the US and were able to access 4 of them, which successfully allowed them to clone the information from the magnetic stripe. There are now strong indicators that this particular method is being used by Point of Sale (POS) malware to gather information from the EMV and then sell it to fabricate magnetic stripe copies of the chip-based cards.
In addition to all of this, earlier this month Visa made an announcement about a security alert. A recent merchant compromise in which known POS malware families were targeting the EMV chip-enabled POS terminals.
“The implementation of secure acceptance technology, such as EMV® Chip, significantly reduced the usability of the payment account data by threat actors as the available data only included personal account number (PAN), integrated circuit card verification value (iCVV) and expiration date,” Visa wrote. “Thus, provided iCVV is validated properly, the risk of counterfeit fraud was minimal. Additionally, many of the merchant locations employed point-to-point encryption (P2PE) which encrypted the PAN data and further reduced the risk to the payment accounts processed as EMV® Chip.”
Visa did not disclose the affected merchant information, however, there seems to be a similar breach to Key Food Storage Co-Operative Inc located in the Northeastern region of the United States. They initially disclosed a security breach in March 2020, but then 2 weeks ago it got updated to clarify that EMV transactions were also included.
“The POS devices at the store locations involved were EMV enabled,” Key Food explained. “For EMV transactions at these locations, we believe only the card number and expiration date would have been found by the malware (but not the cardholder name or internal verification code).” Stated Key Food.
This is just a reminder that stolen EMV data could still be used to create a magnetic stripes version of it, which then can be used at store registers in cases where the institutional bank has not implemented the EMV correctly.