Chip-based credit and debit cards are designed to prevent stolen devices or malware from cloning your card when you pay by picking up a chip instead of a swipe bar, according to a recent op-ed by KrebsOnSecurity, a well-known security website. But a recent series of malware attacks on U.S. merchants suggests that thieves are exploiting weaknesses in the technology implemented by some financial institutions to bypass key chip card security features and effectively manufacture available fake cards.
Traditional payment cards encode cardholder’s account data in plain text on a magnetic strip that can be read and recorded by malware that steals devices or is secretly installed on payment terminals. The data can then be encoded on anything else with a magnetic stripe and used for fraudulent transactions.
The newer chip-based cards use a technique called EMV that encrypts account data stored in the chip. This technology results in a unique encryption key — called a token or “cryptogram” — each time a chip card interacts with a chip-functioning payment terminal.
In fact, all chip-based cards still have a lot of the same data, which is stored in a chip encoded on the magnetic strip on the back of the card. This is largely due to backward compatibility considerations, as many businesses — especially in the United States — are still not fully implementing chip card readers. This dual function also allows cardholders to swipe magnetic strips if the card’s chip or the merchant’s EMV terminal fails for some reason.
However, there is an important difference between the EMV chip and the cardholder data stored on the magnetic stripe. One of them is a component in the chip called the integrated circuit card verification value or “iCVV” — also known as “dynamic CVV”. Unlike the card verification value (CVV) stored on the physical magnetic stripe, iCVV prevents the copying of magnetic stripe data from the chip and uses that data to create a fake magnetic stripe card. ICVV and CVV values are independent of the apparently printed three-digit security code on the back of the card, which is primarily used for e-commerce transactions or card verification over the phone.
The beauty of the EMV approach is that even if there are brushthers or malware that successfully intercepts transaction information when the chip card is soaked, the data is only valid for this transaction and should not allow thieves to continue to make fraudulent payments with it.
However, in order for the EMV’s security measures to work, the back-end systemdeployed by the issuing financial institution should check that only iCVV is presented when the chip card is immersed in the chip reader; If these are somewhat inconsistent with a certain type of transaction, the financial institution should reject the transaction.
The problem is that not all financial institutions set up their systems correctly in this way. Not surprisingly, thieves have known about this weakness for years. In 2017, Brian Krebs wrote an article about the growing popularity of “flashers,” a high-tech bank card theft device designed to intercept chip card transaction data.
Recently, researchers at Cyber R and D Labs published a paper detailing how they tested 11 chip cards from 10 different banks in Europe and the United States, where researchers found that they could collect data from four of them and create cloned magnetic stripe cards that were successfully used to place transactions.
There are strong indications that the same method detailed in Cyber R and D Labs is being used by terminal-end (POS) malware to capture EMV transaction data and can then be resold and used to make magnetic stripe copies of chip-based cards.
Earlier this month, Visa, the world’s largest payment card network, issued a security alert about a recent merchant leak in which the known SERIEs of POS malware was apparently modified to target POS terminals for EMV chips.
“The implementation of secure acceptance technologies, such as eMV ® chips, significantly reduces the availability of payment account data by the threat actor, as the available data includes only personal account numbers (PAN), iCVV verification values (iCVV) and expiration dates,” Visa wrote. “Therefore, as long as iCVV is properly verified, the risk of counterfeiting fraud is minimal.” In addition, many merchant locations use peer-to-peer encryption (P2PE) to encrypt PAN data, further reducing the risk of payment accounts processed with EMV ® chips. “
Visa did not name the affected merchants, but Key Food Stores Co-Operative Inc., a chain in the northeast of the U.S., appears to have done something similar. Key Food initially disclosed a bank card data breach in March 2020, but updated its consultation two weeks ago to clarify that EMV transaction data was also intercepted.
“The POS devices involved in the store location are EMV-enabled,” key Food explains. “For EMV transactions at these locations, we believe that only card numbers and expiration dates will be detected by malware (but the cardholder’s name or internal verification code will not be found).”
While Key Food’s claim may be technically accurate, it masks the reality that stolen EMV data can still be presented by fraudsters to create magnetic stripe versions of EMV cards on the compromised store register selling if the issuing bank does not properly implement the EMV.
It comes after the fraud intelligence firm Gemini Advisory published a blog post that provided more information about recent merchant intrusions, including Key Food, in which EMV transaction data was stolen and eventually sold in underground stores catering to card thieves.
“The payment cards stolen in this data breach were sold on the dark web,” Gemini explained. “Shortly after the vulnerability was discovered, several financial institutions confirmed that the cards that were leaked in the vulnerability were handled by EMV and did not rely on magnetic strips as a backup.”
Gemini said it had verified another recent data breach — a liquor store in Georgia — that also resulted in the release of leaked EMV transaction data in dark-net stores selling stolen card data. As Gemini and Visa point out, in both cases, proper iCVV validation by banks should make these intercepted EMV data useless to fraudsters.
Gemini determined that because of the large number of stores affected, it was highly unlikely that thieves involved in the data breach would intercept EMV data using a physically installed EMV card flash.
“Given the impracticalnature of this strategy, they are likely to use different techniques to remotely hack into POS systems to collect enough EMV data for EMV bypass cloning,” the company wrote.
Stas Alforov, Gemini’s director of research and development, said financial institutions that did not carry out the checks risked losing the ability to notice that the cards were being used for fraud. This is because many banks that issue chip cards may think that as long as they are used for chip trading, there is little risk that they will be cloned and sold underground. As a result, when these agencies look for patterns in fraudulent transactions to determine which merchants may be compromised by POS malware, they may not consider any chip-based payments at all, focusing only on those merchants whose customers have swiped their cards.
“The network is seizing on the fact that there are more EMV-based data breaches now,” Alforov said. “Large card issuers like Chase or Bank of America are indeed checking for a mismatch between iCVV and CVV and will withdraw the mismatched transactions. This is clearly not the case with some small bodies. “