US Chip Cards Are Being Compromised In the Millions

According to a study from Gemini Advisory, some 60 million U.S. cards were compromised in the past 12 months. "Of those, 93 percent were EMV chip-enabled," reports Threatpost. "Also, crucially, 75 percent, or 45.8 million, were records stolen from in-person transactions." From the report: These were likely compromised through card-skimming malware and point-of-sale (POS) breaches at establishments like retailers, hotels and restaurants, the likes of which continue to make headlines. Further results show that the U.S. leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records. In the past 12 months, about 15.9 million compromised non-U.S. payment cards were posted for sale on the underground, split between 11.3 million card-not-present (online transaction) records and 4.6 million card-present records, of which 4.3 million were EMV enabled. This means that the theft level of EMV-enabled card data in the U.S. is 868 percent higher than the rest of the world combined.

The reason for this state of affairs, according to Gemini, is the lack of U.S. merchant compliance -- too many of them still use the mag-stripe function at PoS terminals. Gemini also said that card-present data "is also collected via a more manual method by skimmer groups, who are utilizing custom made hardware known as 'shimmers' to record and exfiltrate data from ATMs and POS systems. The firm also found that while most large U.S. merchants have fully transitioned to EMV, gas pump terminals and small/medium size businesses are emerging as the main targets for cybercriminals going forward.

What

too many of them still use the mag-stripe function

If this is mostly happening via the old magnetic strip than what does the chip even have to do with this story?

Re:What

[ShanghaiBill]

Just reiterating the fact that the chips were a half-measure

Not even half, maybe a quarter measure. The chips can not only be bypassed, but because America doesn't use chip-and-PIN, the chip can be used directly by anyone stealing your card.

It is like putting a titanium deadbolt on your front door, and having an aluminum screen door on the back of the house, and also putting the deadbolt cylinder in backwards so the thumbturn is on the outside.

The rest of the world did this right. Only America screwed it up so badly, and mostly because the people with the ability to fix it (that banks) have no incentive to do so. They just push the losses off onto the customer or the merchant.

Re:Poland and Serbia

[b0s0z0ku]

Here's the thing -- by allowing the Russians to take over Eastern Europe in 1945, the US created that particular mess. The US should have stuck to their guns in 1945 and required truly free elections in all of the countries concerned. We had nuclear weapons. Stalin did not.

This being said, the stereotype of Eastern Europe being a mecca for fraud, corruption, and nothing else, is a bit of an outdated trope. Poland's economy is booming, though their politics are a bit shameful right now. Countries like Estonia have actually set themselves up as tech hubs right now, legit businesses and startups.

Slow adoptance

[Dan+East]

The headline is misleading. It is not the transactions by chip that are being compromised. The fact that a card swiped the old fashioned way happened to have a chip is moot - it is the same attack vector on the legacy magnetic strip.

There must be significant expense involved for merchants to switch to the chip readers, as most of the POS now systems have chip readers, but some retailers don't support them. More than likely it is price gouging by the vendors that configure and manage the POS units.

Finally, in my area, Lowes Home Improvement has the totally bizarre setup where if I want to use my bank card as a debit card (requiring PIN) I must swipe, and if I want to use it as credit card (requiring signature) I must insert it. However, it asks you AFTER you have inserted or swiped, so if you choose the wrong option then you have to remove or re-swipe the card. The local store has resorted to putting handwritten notes on the POS terminals advising which to do (insert or swipe) depending on whether you want credit or debit. That leads me to believe there is some recurring per-transaction cost using chip with debit.