Credit Card Chips Have Failed to Halt Fraud (So Far)

An anonymous reader quotes Fortune: New chip-enabled credit cards, which were rolled out to U.S. consumers starting in 2015, were supposed to put an end to rampant credit card fraud. So much for that. A new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology...

In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.

Chip & PIN

Without a PIN, and without a chip reader for online purchases the whole exercise has been a waste of time.

Re: Of course

And for those of us in the rest of the world, the US is also the cause of fraud on our credit cards. For backward compatibility, our cards still have a magstripe, but the bank's won't authorise payment in local country. So we get our cards cloned, and then used in the US!

A couple points:

1. The chip does nothing to crooks from using the card number, type, expiration date and 3 digit code on the back.
2. Many retailers I use my chip card at don't even use the chip reader functionality in their terminals, taping it off and indicating that the card needs to be swiped instead.
3. Most retailers never check my sig (even if indicated on the card).
4. I can run my card as 'credit' and can bypass the pin entry, totally rendering that useless.

Re:Still no use for PIN

[xlsior]

The reason that US creditcard companies don't want to force their users to use pin codes is simple: no one wants to be first. In most of the world, people have a single creditcard. The average American has half a dozen or more. Forcing Americans to remember a Pin just means that a not insignificant percentage of users will simply to switch one of their other cards that's 'less inconvenient' - therefore, nothing changes since none of the card companies want to lose their users to the competition.

Re:Well duh

[TheRaven64]

That's the theory. Unfortunately, one of the flaws in the EMV protocol is that the authentication is unidirectional. The card must authenticate itself to the bank, but the bank doesn't have to authenticate itself to the card. This makes it comparatively easy to MITM the transaction. It's a shame that the US waited over 20 years until the EMV protocol had been thoroughly analysed and numerous flaws identified and then deployed it.

Re: Of course

[Kjella]

And for those of us in the rest of the world, the US is also the cause of fraud on our credit cards. For backward compatibility, our cards still have a magstripe, but the bank's won't authorise payment in local country. So we get our cards cloned, and then used in the US!

Here in Norway they've fixed this quite easily because around 2010 most the banks introduced regional blocks, the defaults vary a little but my bank's card by default only works in Norway. To expand the coverage you must log in to the online bank and enable it. You can permanently enable it for our neighboring countries in Scandinavia, but for the other regions (rest of Europe, North America, South America, Africa, Asia) you can only enable it for three months at a time. That has pretty much stopped international scams dead in their tracks, even if it is enabled the crooks don't know until they try and while the occasional tourist will forget and enabled it after being declined it will stand out as a sore thumb.

Combined with 2FA using the cell phone/one time codes for online purchases fraud here is extremely low. I found a page that said total credit/debit card fraud in Norway is around 150 MNOK/year, that's $17 million. Divided by 2.4 million households that's about $7, the average household income is about $51k so 0.013% is lost to fraud. Basically that's noise level, people lose more money on grocery prices due to shoplifting than that. I don't think these numbers include robbery where you're forced to enter/hand over the PIN though, just shoulder surfing and such.

Chip cards aren't meant to prevent breaches

[bongk]

There's a lot of misinformation here.

Chip cards aren't meant to prevent card breaches. For card-present transactions (in person at the store), the exact same encryption and cardholder data protection requirements are in place from the reader to the bank whether its EMV or old mag-stripe. For card-not-present transactions (online and e-commerce) EMV makes no difference at all.

Chip cards do one thing. They make it harder to make a fraudulent physical card. With mag-stripe it is trivial to take another credit card or even a subway gift card and recode its mag-stripe to use a stolen card number, so I can walk into a merchant and use that card.

The author appears to be confusing EMV standards with the PCI P2PE (point to point encryption) standard, which is meant to prevent breaches by doing many of the things the author describes.

Re:Still no use for PIN

[Anne+Thwacks]

That is not true. Most people in Europe have several cards, and I am quite sure they have to use a PIN.

I can also confirm that a lot of people in Nigeria have several cards, and they have to use PINs there, and one side effect has been to massively reduce fraud committed by the banks themselves. I assume the reluctance of American banks to force use of the PIN is because a large part of the fraud is committed by the banks themselves.

Yes its true: American banks are noticeably less trustworthy than Nigerian banks. (cf Wells Fargo)