US Chip Cards Are Being Compromised In the Millions

According to a study from Gemini Advisory, some 60 million U.S. cards were compromised in the past 12 months. "Of those, 93 percent were EMV chip-enabled," reports Threatpost. "Also, crucially, 75 percent, or 45.8 million, were records stolen from in-person transactions." From the report: These were likely compromised through card-skimming malware and point-of-sale (POS) breaches at establishments like retailers, hotels and restaurants, the likes of which continue to make headlines. Further results show that the U.S. leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records. In the past 12 months, about 15.9 million compromised non-U.S. payment cards were posted for sale on the underground, split between 11.3 million card-not-present (online transaction) records and 4.6 million card-present records, of which 4.3 million were EMV enabled. This means that the theft level of EMV-enabled card data in the U.S. is 868 percent higher than the rest of the world combined.

The reason for this state of affairs, according to Gemini, is the lack of U.S. merchant compliance -- too many of them still use the mag-stripe function at PoS terminals. Gemini also said that card-present data "is also collected via a more manual method by skimmer groups, who are utilizing custom made hardware known as 'shimmers' to record and exfiltrate data from ATMs and POS systems. The firm also found that while most large U.S. merchants have fully transitioned to EMV, gas pump terminals and small/medium size businesses are emerging as the main targets for cybercriminals going forward.

What

too many of them still use the mag-stripe function

If this is mostly happening via the old magnetic strip than what does the chip even have to do with this story?

Re:What

Just reiterating the fact that the chips were a half-measure, never fully implemented as designed, and are thus useless and leave us vulnerable per the credit vendors' lobbied wishes? Yeah maybe just that.

Re:What

[hey!]

If this is mostly happening via the old magnetic strip than what does the chip even have to do with this story?

If you can intercept the conversation between the EMV chip and the terminal, you can skim enough information to produce a counterfeit mag stripe that will work. That's actually a long-standing vulnerability in the EMV system.

There was supposedly a fix which involved programming different ICCV codes on the chip and in the mag stripe, but that fix depends on the card provisioners to implement. This is typical of security debacles: a fundamental weakness in the system isn't really fixed by a band-aid that requires everyone to do the right thing.

Re:What

[dpalley]

They're saying the chips are EMV-enabled, but the vulnerable transactions are still using the old mag stripe.

Re:What

[ShanghaiBill]

Just reiterating the fact that the chips were a half-measure

Not even half, maybe a quarter measure. The chips can not only be bypassed, but because America doesn't use chip-and-PIN, the chip can be used directly by anyone stealing your card.

It is like putting a titanium deadbolt on your front door, and having an aluminum screen door on the back of the house, and also putting the deadbolt cylinder in backwards so the thumbturn is on the outside.

The rest of the world did this right. Only America screwed it up so badly, and mostly because the people with the ability to fix it (that banks) have no incentive to do so. They just push the losses off onto the customer or the merchant.

Re:What

[TheGratefulNet]

no. read my (long) post.

it was not magstripe, it was outright forgery. I don't believe they ever had my card, but I suspect the equifax (etc) break-ins were the cause of most of this.

there is 'skimming' and 'shimming' but in my case, I don't think it was a copy of the card; I think they frauded the system some other way.

one thing the bank told me: if these were magstripe transactions, we would have voided them out as soon as you reported them to us, but since they used MAGIC CHIPS, of course, those are trustable so we are rejecting your claim.

(not kidding)

Re: What

Most of the fraud is moving to online transactions, where all they need are the numbers and cvv code. Chips won't help. What is needed is 2 factor Auth to approve transactions.

Re:Chip and PIN is no panacea

[gweihir]

This seems to be a US problem. Late to the game and trouble getting it to work? Not good.

Re:Poland and Serbia

[b0s0z0ku]

Here's the thing -- by allowing the Russians to take over Eastern Europe in 1945, the US created that particular mess. The US should have stuck to their guns in 1945 and required truly free elections in all of the countries concerned. We had nuclear weapons. Stalin did not.

This being said, the stereotype of Eastern Europe being a mecca for fraud, corruption, and nothing else, is a bit of an outdated trope. Poland's economy is booming, though their politics are a bit shameful right now. Countries like Estonia have actually set themselves up as tech hubs right now, legit businesses and startups.

Bait and switch headline much?

[Wrath0fb0b]

The reason for this state of affairs, according to Gemini, is the lack of U.S. merchant complianceâ"too many of them still use the mag-stripe function at PoS terminals. ...
If the EMV functionalities are not fully deployed, the track 1 and track 2 data stolen from the chip transaction can be easily encoded by the fraudster onto any magnetic strip.

So to get this straight, you get a plastic card, it supports both the newfangled way and the old-and-busted way (or else people would be up in arms that it wasn't compatible with 100% of readers). By the way, the new hotness is just the old version plus a transaction-unique cryptographic token. Now, when this is deployed, people figure out -- they skim the new way and then use it to create mag-stripe cards that can be used only at places that don't require a chip. But somehow this is a problem with the chip cards?

Nooooo, it's a problem with places that don't require a chip. We've known since the 80s that you can copy a magnetic strip with a 2-tape boombox (seriously, it will work).

TLDR: There's nothing wrong with the chip cards themselves. But there is something wrong with merchants that haven't upgraded to EMV, and definitely something wrong with /. editors that write a completely ass-backwards headline.

Re:Bait and switch headline much?

[Tony+Isaac]

Those merchants are having to pay for their lack of adoption. Based on Visa and Mastercard rules, if the merchant doesn't support chip cards, and there is a fraudulent transaction using the magnetic strip, the merchant is out the money. If the issuing bank doesn't provide a chip card, the bank is out the money. These incentives will talk more loudly than people preaching better security.

Re:Bait and switch headline much?

[TheRaven64]

A lot of the fraud was solved in the rest of the world by a simple change to the merchant banking rules: merchants may not take the card out of sight of the customer. If you want people to pay at the table in a restaurant, you come around with a wireless card reader. This removes 99% of the opportunities for skimming and it means that if a merchant does take the card away it's so unusual that the customer will likely remember it when they discover fraudulent transactions and can easily report the source. It's weird visiting the US and seeing that it's still standard to allow waiters to take the card away into a back room where they can make a clone and bring back the original.

Slow adoptance

[Dan+East]

The headline is misleading. It is not the transactions by chip that are being compromised. The fact that a card swiped the old fashioned way happened to have a chip is moot - it is the same attack vector on the legacy magnetic strip.

There must be significant expense involved for merchants to switch to the chip readers, as most of the POS now systems have chip readers, but some retailers don't support them. More than likely it is price gouging by the vendors that configure and manage the POS units.

Finally, in my area, Lowes Home Improvement has the totally bizarre setup where if I want to use my bank card as a debit card (requiring PIN) I must swipe, and if I want to use it as credit card (requiring signature) I must insert it. However, it asks you AFTER you have inserted or swiped, so if you choose the wrong option then you have to remove or re-swipe the card. The local store has resorted to putting handwritten notes on the POS terminals advising which to do (insert or swipe) depending on whether you want credit or debit. That leads me to believe there is some recurring per-transaction cost using chip with debit.

Re:OMG Regulation

[Fly+Swatter]

a) that is a huge expense that probably is still under the amount of fraud they have to cover
b) they can blame the retailer and again that is not fraud they have to cover
c) if they do have to cover more fraud, they just raise the rates

In the end its us that has to pay, both in higher prices and interest rates - they just pass the costs of incompetence on to you.

Whenever I travel to the US...

[beezly]

Whenever I travel to the US, one of the first things that I notice is different is the lax approach to card security. In most of Western Europe, pretty much every card transaction uses the chip. I can disable the mag-stripe on some of my cards (through the banks' online systems), and using magstripe anywhere increases the chance of a transaction being picked up by the banks' automated fraud detection systems. Then when you get to the US, you go into a restaurant, settle up by card with no signature and no pin, and then the restaurant can manipulate the transaction later to add whatever tip you wrote on the bill. Madness!

Re:Whenever I travel to the US...

[viperidaenz]

You can disable the magstripe with a magnet too.

That might stop it working in ATM's though.
Some bank ATM's rewrite the magstripe every time you use it with a different security code. They recommend you insert your card in their ATM's when you return from holiday, as if it was skimmed and they've update the security code since then, the fraud detection kicks in immediately when the skimmed card is used.

National Australia Bank calls it LENSecure

Slow adoptance because of banks

[johnjones]

the retailers put up with allowing mag stripe because the banks do

if EMV actually made the retailer liable for fraud then they would make sure you use pay wave/pass (NFC) and a PIN
by using a CHIP and PIN it first of all verifies LOCALLY on the chip then generates a One Time Code that gets sent to the issuing network (bank) There is ZERO

repeat ZERO ways to skim chip and PIN its all down to the Mag Stripe

before some bright spark complains about having to input the numbers into ecommerce sites... Yes this can be secured by 2FA that the banks in europe ask for (you get redirected during the payment process to the banks website that then ask's for your 2FA details )

basically its american banks being lazy and dont care about loosing customer details... its just a cost of business to them and they dont care about the retailers experience either otherwise they would have made made NFC cheap and easy

basically banks need to reduce they fee's they charge retailers in return for securing things 0.5% is common in Europe

my story (tldr; wells fargo is clueless)

[TheGratefulNet]

sigh. I'd like to type in pages but I won't.

long story short, I got a text from wells saying they thought something was 'up' with some purchases. I never check sms (I use email and ignore sms) but I later found that text and called wells to check if it was real. it was real and there were thousands of dollars of charges I didn't make. I never lost my card and it was never out of my posession.

I called wells and we went thru the charges. I told them which were mine and which were unknown to me. I thought that was it and waited to hear back. weeks later, I get a letter in the mail from them saying that they 'investigated' it and since the card was never lost and it was a CHIP BASED CARD, it could NOT BE THEIR FAULT and I was told I had to pay the thousands of dollars of charges!

I was shocked. I was a member of that bank for over 20 years (yeah, I know, I should have left years ago when wells first had issues reported against them).

the weeks that they let it sit were weeks that evidence was starting to fade away (video 'tapes' being recycled at stores, etc). I think that was also part of wells' plan, to delay me and make me miss some deadlines.

I forced them to re-open the 'closed' case and I filed a police report. I was not asked to at first, but when I went to the bank in person and made an issue of this, they asked that I make a formal police report, which I then did.

get this: one week later, I get letters in the mail from the local court system. they caught 2 people and I was informed that sentencing was going to happen in 1 week and I was allowed to attend, if I wanted. (I suspect that the forged card had my name on it or receipts from stores had my name on it).

here's the kicker: it took ALL OF THIS in order to convince my bank that it was not me. their line, all along was 'it was a chip card and it never left your possesion, in your own words, and chip cards are PERFECT, so pay up, it was you!'. that was their line and until I showed them court papers, they would not give in.

tell everyone you know about this. the chip cards are less than useless in the US and banks are still putting their fingers in their ears and saying 'I cant hear you, its still your fault, pay up!'.

their security system is at fault and yet they blame us.

it took me MONTHS to get this all cleared out. did I get anything for my time? no. of course not.

wells fargo can eat shit and die. anyone still with them should leave immediately. I was a 20+ year member and they threw me under the bus for a few thousand dollars. they don't deserve to have a single customer. please leave if you are with them.

and be very careful with your 'chip' card. there's nothing secure about it. the thieves have it all worked out already ;(

Re:MST with your watch, token sent

[viperidaenz]

That's also how chip cards and contactless cards work too.
Except when you're in the USA and all the terminals still allow the use of magstripes, regardless of the card having a chip, then you can bypass the chip completely.

Re:Poland and Serbia

[DNS-and-BIND]

It's always America's fault, isn't it? I mean, fuck peace, let's use our nuclear weapons. Because we got such good press for doing that when we did. I swear, warmongering assholes like you will be the death of us all.

Re:Poland and Serbia

[DNS-and-BIND]

So you KNOW that the US government at the time was riddled with Communist spies, right? Because they were. People like Harry Dexter White, Alger Hiss, Harry Hopkins, the list goes on. The Manhattan project was full of spies. The idea was that capitalism had reached its end, that socialism was the wave of the future, that we had all better get on board now before it all collapsed, stop me if any of this sounds familiar because they still say the same shit today. How was the US government supposed to resist the Soviets when so many people inside it wished to join the Communists?