US Chip Cards Are Being Compromised In the Millions

According to a study from Gemini Advisory, some 60 million U.S. cards were compromised in the past 12 months. "Of those, 93 percent were EMV chip-enabled," reports Threatpost. "Also, crucially, 75 percent, or 45.8 million, were records stolen from in-person transactions." From the report: These were likely compromised through card-skimming malware and point-of-sale (POS) breaches at establishments like retailers, hotels and restaurants, the likes of which continue to make headlines. Further results show that the U.S. leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records. In the past 12 months, about 15.9 million compromised non-U.S. payment cards were posted for sale on the underground, split between 11.3 million card-not-present (online transaction) records and 4.6 million card-present records, of which 4.3 million were EMV enabled. This means that the theft level of EMV-enabled card data in the U.S. is 868 percent higher than the rest of the world combined.

The reason for this state of affairs, according to Gemini, is the lack of U.S. merchant compliance -- too many of them still use the mag-stripe function at PoS terminals. Gemini also said that card-present data "is also collected via a more manual method by skimmer groups, who are utilizing custom made hardware known as 'shimmers' to record and exfiltrate data from ATMs and POS systems. The firm also found that while most large U.S. merchants have fully transitioned to EMV, gas pump terminals and small/medium size businesses are emerging as the main targets for cybercriminals going forward.

Re:What

Just reiterating the fact that the chips were a half-measure, never fully implemented as designed, and are thus useless and leave us vulnerable per the credit vendors' lobbied wishes? Yeah maybe just that.

Bait and switch headline much?

[Wrath0fb0b]

The reason for this state of affairs, according to Gemini, is the lack of U.S. merchant complianceâ"too many of them still use the mag-stripe function at PoS terminals. ...
If the EMV functionalities are not fully deployed, the track 1 and track 2 data stolen from the chip transaction can be easily encoded by the fraudster onto any magnetic strip.

So to get this straight, you get a plastic card, it supports both the newfangled way and the old-and-busted way (or else people would be up in arms that it wasn't compatible with 100% of readers). By the way, the new hotness is just the old version plus a transaction-unique cryptographic token. Now, when this is deployed, people figure out -- they skim the new way and then use it to create mag-stripe cards that can be used only at places that don't require a chip. But somehow this is a problem with the chip cards?

Nooooo, it's a problem with places that don't require a chip. We've known since the 80s that you can copy a magnetic strip with a 2-tape boombox (seriously, it will work).

TLDR: There's nothing wrong with the chip cards themselves. But there is something wrong with merchants that haven't upgraded to EMV, and definitely something wrong with /. editors that write a completely ass-backwards headline.