Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Chip Cards Are Being Compromised In the Millions (threatpost.com)

Posted by BeauHD on from the that's-a-lot-of-zeros dept.

According to a study from Gemini Advisory, some 60 million U.S. cards were compromised in the past 12 months. "Of those, 93 percent were EMV chip-enabled," reports Threatpost. "Also, crucially, 75 percent, or 45.8 million, were records stolen from in-person transactions." From the report: These were likely compromised through card-skimming malware and point-of-sale (POS) breaches at establishments like retailers, hotels and restaurants, the likes of which continue to make headlines. Further results show that the U.S. leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records. In the past 12 months, about 15.9 million compromised non-U.S. payment cards were posted for sale on the underground, split between 11.3 million card-not-present (online transaction) records and 4.6 million card-present records, of which 4.3 million were EMV enabled. This means that the theft level of EMV-enabled card data in the U.S. is 868 percent higher than the rest of the world combined.

The reason for this state of affairs, according to Gemini, is the lack of U.S. merchant compliance -- too many of them still use the mag-stripe function at PoS terminals. Gemini also said that card-present data "is also collected via a more manual method by skimmer groups, who are utilizing custom made hardware known as 'shimmers' to record and exfiltrate data from ATMs and POS systems. The firm also found that while most large U.S. merchants have fully transitioned to EMV, gas pump terminals and small/medium size businesses are emerging as the main targets for cybercriminals going forward.

8 of 106 comments (clear)

  1. Re:What by hey! · · Score: 3, Informative

    If this is mostly happening via the old magnetic strip than what does the chip even have to do with this story?

    If you can intercept the conversation between the EMV chip and the terminal, you can skim enough information to produce a counterfeit mag stripe that will work. That's actually a long-standing vulnerability in the EMV system.

    There was supposedly a fix which involved programming different ICCV codes on the chip and in the mag stripe, but that fix depends on the card provisioners to implement. This is typical of security debacles: a fundamental weakness in the system isn't really fixed by a band-aid that requires everyone to do the right thing.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  2. Whenever I travel to the US... by beezly · · Score: 3, Informative

    Whenever I travel to the US, one of the first things that I notice is different is the lax approach to card security. In most of Western Europe, pretty much every card transaction uses the chip. I can disable the mag-stripe on some of my cards (through the banks' online systems), and using magstripe anywhere increases the chance of a transaction being picked up by the banks' automated fraud detection systems. Then when you get to the US, you go into a restaurant, settle up by card with no signature and no pin, and then the restaurant can manipulate the transaction later to add whatever tip you wrote on the bill. Madness!

    1. Re:Whenever I travel to the US... by viperidaenz · · Score: 3, Informative

      You can disable the magstripe with a magnet too.

      That might stop it working in ATM's though.
      Some bank ATM's rewrite the magstripe every time you use it with a different security code. They recommend you insert your card in their ATM's when you return from holiday, as if it was skimmed and they've update the security code since then, the fraud detection kicks in immediately when the skimmed card is used.

      National Australia Bank calls it LENSecure

  3. Slow adoptance because of banks by johnjones · · Score: 3, Informative

    the retailers put up with allowing mag stripe because the banks do

    if EMV actually made the retailer liable for fraud then they would make sure you use pay wave/pass (NFC) and a PIN
    by using a CHIP and PIN it first of all verifies LOCALLY on the chip then generates a One Time Code that gets sent to the issuing network (bank) There is ZERO

    repeat ZERO ways to skim chip and PIN its all down to the Mag Stripe

    before some bright spark complains about having to input the numbers into ecommerce sites... Yes this can be secured by 2FA that the banks in europe ask for (you get redirected during the payment process to the banks website that then ask's for your 2FA details )

    basically its american banks being lazy and dont care about loosing customer details... its just a cost of business to them and they dont care about the retailers experience either otherwise they would have made made NFC cheap and easy

    basically banks need to reduce they fee's they charge retailers in return for securing things 0.5% is common in Europe

  4. my story (tldr; wells fargo is clueless) by TheGratefulNet · · Score: 5, Informative

    sigh. I'd like to type in pages but I won't.

    long story short, I got a text from wells saying they thought something was 'up' with some purchases. I never check sms (I use email and ignore sms) but I later found that text and called wells to check if it was real. it was real and there were thousands of dollars of charges I didn't make. I never lost my card and it was never out of my posession.

    I called wells and we went thru the charges. I told them which were mine and which were unknown to me. I thought that was it and waited to hear back. weeks later, I get a letter in the mail from them saying that they 'investigated' it and since the card was never lost and it was a CHIP BASED CARD, it could NOT BE THEIR FAULT and I was told I had to pay the thousands of dollars of charges!

    I was shocked. I was a member of that bank for over 20 years (yeah, I know, I should have left years ago when wells first had issues reported against them).

    the weeks that they let it sit were weeks that evidence was starting to fade away (video 'tapes' being recycled at stores, etc). I think that was also part of wells' plan, to delay me and make me miss some deadlines.

    I forced them to re-open the 'closed' case and I filed a police report. I was not asked to at first, but when I went to the bank in person and made an issue of this, they asked that I make a formal police report, which I then did.

    get this: one week later, I get letters in the mail from the local court system. they caught 2 people and I was informed that sentencing was going to happen in 1 week and I was allowed to attend, if I wanted. (I suspect that the forged card had my name on it or receipts from stores had my name on it).

    here's the kicker: it took ALL OF THIS in order to convince my bank that it was not me. their line, all along was 'it was a chip card and it never left your possesion, in your own words, and chip cards are PERFECT, so pay up, it was you!'. that was their line and until I showed them court papers, they would not give in.

    tell everyone you know about this. the chip cards are less than useless in the US and banks are still putting their fingers in their ears and saying 'I cant hear you, its still your fault, pay up!'.

    their security system is at fault and yet they blame us.

    it took me MONTHS to get this all cleared out. did I get anything for my time? no. of course not.

    wells fargo can eat shit and die. anyone still with them should leave immediately. I was a 20+ year member and they threw me under the bus for a few thousand dollars. they don't deserve to have a single customer. please leave if you are with them.

    and be very careful with your 'chip' card. there's nothing secure about it. the thieves have it all worked out already ;(

    --

    --
    "It is now safe to switch off your computer."
  5. Re: What by Anonymous Coward · · Score: 3, Informative

    Most of the fraud is moving to online transactions, where all they need are the numbers and cvv code. Chips won't help. What is needed is 2 factor Auth to approve transactions.

  6. Re:Bait and switch headline much? by Tony+Isaac · · Score: 4, Informative

    Those merchants are having to pay for their lack of adoption. Based on Visa and Mastercard rules, if the merchant doesn't support chip cards, and there is a fraudulent transaction using the magnetic strip, the merchant is out the money. If the issuing bank doesn't provide a chip card, the bank is out the money. These incentives will talk more loudly than people preaching better security.

  7. Re:Chip and PIN is no panacea by moronoxyd · · Score: 1, Informative

    Last I checked the democracies at least in western Europe work pretty well.

    Gerrymandering, voter suppression, election irregularities, fixing the courts with partisan judges, the administration calling the fourth estate the enemies of the people -- all stuff that's undermining democracies, and all stuff that the US is currently known for.

    (To be fair: Some of those problems do exist in a few eastern European countries.)