In my last post, I discussed how fraudsters take advantage of the fact that some financial institutions still are not authenticating the CVV on credit cards. This is allowing fraudsters to clone cards and cash them out at ATMs. But checking the CVV isn’t a recipe for a life without card fraud in real world locations such as ATMs and brick-and-mortar merchants. Testament to this is the fact that most banks actually do authenticate this code. Even when all systems are running as they should be, credit card fraud is easy and accessible to most fraudsters. The reason is another kind of vulnerability – age.
Since its adoption, card readers/writers have become so commonplace that they can be ordered legitimately right over the Internet. A quick search on eBay for these devices pulls up multiple offers, each for several hundreds of dollars – equal to several hours of work for the experienced criminal. Fraudsters actually assume everyone in the underground owns one, and raw magnetic stripe data (“dumps” in fraudster terminology) along with the PIN code is considered to be as good as cash, as these can be used to make a withdrawal at an ATM.
The wide availability of these readers/writers poses two threats. First, reading and saving the dumps (card skimming) is painfully easy. Hand your credit card to a waiter, a store clerk or any other service provider, even for a few seconds, and your card has the potential to be cloned. There is a risk that exists even when you are the one swiping the card as there are tampered ATMs and point-of-sale devices which save a copy of the card data without anyone but the fraudster knowing.
It is worth noting that skimming cards is not the only way of getting dumps. Fraudsters attempt to breach the security of brick-and-mortar merchants or even card processors to get these records in bulk (TJX and Heartland ring a bell?). So the second threat is that it doesn’t matter how the “dumps” were obtained; it’s a simple matter to encode the data to fake cards and go to the store (or to the ATM, if the PIN code is also available).
Naturally, this wide availability drove masses of fraudsters to participate in the party. In turn, this led to the introduction of the next generation of credit card security – EMV, a global standard for chip cards (also known as “smart cards”) and terminals that can read them. The chip contains the card data in an encrypted fashion and poses a real challenge for fraudsters to read information from it, let alone clone it.
In countries where it was implemented, such as the United Kingdom and France, fraudsters encountered a problem. Even for the most sophisticated criminals that secretly managed to “hack” this new technology, there were still ninety nine percent of fraudsters that lacked this ability. Unable to break this security measure, fraudsters took a page out of the “Solving Computer Problems 101” book – if you can’t fix an issue, work around it.
As the EMV standard hasn’t been adopted worldwide yet, these cards still have a magnetic stripe so can still be used abroad. So, instead of dealing with the chip, fraudsters skim the magnetic stripe, clone the card and use it in countries that still rely on archaic card technology. Fraudsters keep updated lists of which countries still haven’t implemented EMV and send the data to their cohorts in those countries (or in rare instances, even travel there themselves). While the amounts that can be stolen from each card are lower because of the foreign location, it is still profitable enough for fraudsters to go at it.
Will a world-wide adoption of this stronger security measure completely abolish card fraud? Not really. Typical to fraudster modus operandi, when the going gets tough, the tough move to another channel – card not present transactions, to be specific. However, in order to successfully pull off a fraudulent transaction over the phone or the Internet, a different set of credentials is required which are collected in others ways.
Adopting smart cards worldwide may not cause fraud to go away completely, but it will certainly reduce the value of “dumps” data and “skimming” and diminish the appetite among criminals to breach the networks of merchants or processors in order to collect this data. So while alternatives do exist, just because the boat is leaking on one end doesn’t mean that we shouldn’t plug the other. In any case, let’s hope it will happen before age catches up to smart cards as well.
Chip and pin is vulnerable
Due to careless design choices, the EMV chip and pin protocol was ‘aged’ from the start:
Note the authors’ comment about the primary goal of chip-and-pin being for the banks, card companies and merchants to achieve ‘liability shift’ to the customer: so long as they can get away with claiming that the pin must have been leaked by the customer, they are not strongly motivated to fix the problem.