Chip bank cards are designed so that there is no point in cloning them with skimmers or malware when you pay using a chip card rather than a magnetic stripe. However, several recent attacks on American stores indicate that thieves are exploiting weaknesses in the implementation of this technology by some of the financial institutions. This allows them to bypass chip cards and, in fact, create usable counterfeits.
Traditionally, plastic cards encode the owner's account data in plain text on a magnetic strip. Skimmers or malware hidden in payment terminals can read data from it and write it down. This data can then be encoded onto any other magnetic stripe card and used for fraudulent financial transactions.
More modern cards use EMV technology (Europay + MasterCard + Visa), which encrypts the account data stored on the chip. Thanks to this technology, each time a card interacts with a terminal that supports chips, a one-time unique key is generated, which is called a token or cryptogram.
Almost all chip cards store the same data that is encoded on the magnetic stripe of the card. This is for backward compatibility, as many US vendors have yet to switch to chip-enabled terminals. This dual functionality also allows cardholders to use the magnetic stripe if the card's chip or merchant's terminal is not working properly.
However, there are several differences between data stored on an EMV chip and data on a magnetic stripe. One of these is a chip component called an Integrated Circuit Card Verification Code, or iCVV, which is also sometimes referred to as a “dynamic CVV”.
iCVV is different from the CVV card confirmation code stored on magnetic tape and protects against copying data from the chip and using it to create counterfeit magnetic stripe cards. Both iCVV and CVV are not associated with the three-digit numeric code that is printed on the back of the card, which is usually used to pay in online stores or confirm the card by phone.
The advantage of the EMV approach is that even if a skimmer or a virus intercepts information about a card transaction, this data will only be valid for that transaction, and in the future should no longer allow thieves to make fraudulent payments.
However, for this entire security system to work, the backend systems deployed by financial organizations that issue cards must verify that when a card is inserted into the terminal, only iCVV is issued along with the data, and vice versa, that when paying with a magnetic stripe, only CVV. If this information does not match the selected transaction type, the financial institution must reject the transaction.
The problem is that not all organizations have configured their systems correctly. It's no surprise that thieves have known these weak points for years. In 2017, I wrote about an increase in the percentage of use of " shimmers " - high-tech skimmers that intercept data from transactions made using a chip.
Shimmer found at a Canadian ATM
Researchers from Cyber R&D Labs recently published the results of a study in which they tested 11 types of chip implementation on cards from 10 different banks in Europe and the United States. They found they could take data from four of them, then create cloned magnetic stripe cards and use them successfully for payments.
There is every reason to believe that the method described in detail by Cyber R&D Labs is being used by malicious programs installed in store terminals. The programs intercept transaction data from the EMV, which can then be resold and used to make copies of chip cards, but using a magnetic stripe.
In July 2020, the world's largest payment network Visa issued a warningabout security threats concerning the terminals of a recently compromised seller. In their terminals, the malware has been patched to work with chip cards.
“The implementation of secure payment technologies such as the EMV Chip has significantly reduced the benefits of account payment data for third parties, since this data includes only the personal PAN account number, iCVV card verification code and data expiration date,” wrote Visa. “Therefore, with correct iCVV confirmation, the risk of counterfeiting was minimal. In addition, many merchants have used P2PE encrypted terminals that encrypt PANs, further reducing the risk of making payments. ”
The name of the seller was not mentioned, but something similar seems to have happened at Key Food Stores Co-Operative Inc., a supermarket chain in the northeastern United States. Key Food initially disclosed details of the card hack in March 2020, but updated the statement in July 2020 to clarify that EMV transaction data had also been intercepted.
“The terminals in the stores were EMV-enabled,” explains Key Food. "In our opinion, during transactions at these points, malware could only intercept the card number and expiration date (not the owner's name and not the internal confirmation code)."
While Key Food’s claim is technically correct, it embellishes the reality - stolen EMV data can still be used to create variants of magnetic stripe cards that can then be used at checkouts with malware terminals installed when the issuing bank did not sell. EMV protection is correct.
In July, anti-fraud company Gemini Advisory published a blog post detailing recent hacks at merchants - including Key Food - that have stolen EMV transaction data, which then went on sale in illegal shops for carders.
"The payment cards stolen during this incident were being offered for sale on the dark web," Gemini explains. "Shortly after the incident was discovered, several financial institutions confirmed that all participating cards were processed through EMV, without relying on magnetic stripe as a fallback method."
Gemini says it has confirmed that another security incident at a Georgia liquor store also compromised EMV transaction data, resulting in it later appearing on the dark web of sites selling stolen cards. As noted by Gemini and Visa, in both cases, the correct confirmation of iCVV data from banks should have rendered the data useless to fraudsters.
Gemini determined that the sheer number of stores affected suggested that it was highly unlikely that thieves would intercept EMV data using manually installed EMV shimmers.
"Given the impracticality of this tactic, it can be concluded that they used a different technique to break into payment terminals and collect enough EMV data to perform EMV-Bypass Cloning," the company wrote.
Stas Alferov, Gemini's director of research and development, said that financial institutions that do not conduct such checks lose the ability to track cases of misuse of such cards.
The fact is that many banks that have issued chip cards believe that as long as they are used for transactions using the chip, there is practically no risk of cloning and selling them in underground markets. So when these organizations look for patterns in fraudulent transactions to determine which vendors' equipment has been compromised by malware, they may completely overlook chip-based payments and focus only on those checkout counters where customers swiped the card in stripes.
“Card networks are starting to realize that there are many more EMV transactions hacked now,” Alferov said. “Larger card issuers like Chase or Bank of America are already checking for iCVV and CVV inconsistencies and rejecting suspicious transactions. However, smaller organizations clearly do not. "
For better or worse, we do not know which financial institutions have incorrectly implemented the EMV standard. Therefore, you should always carefully monitor your card spending and report any unauthorized transactions immediately. If your bank allows you to receive text messages about transactions, this will help you track such activity in near real time.