Page 8 - Cyber Warnings
P. 8
In fact, we recently discovered a next-generation EMV skimmer that is both small enough to fit
inside a standard point of sale (PoS) terminal and able to store up to 5,000 records at one time.
This device uses the terminal's internal power supply and can be left inside indefinitely. To
retrieve the skimmed information, criminals insert a special memory card that resembles a
standard credit card into the PoS terminal.
Most notably, this skimmer comes equipped with decryption software. This enables criminals to
de-obfuscate the encrypted payment information, which can later be copied and recorded onto a
plain magstripe card. Though likely developed in one of the Baltic countries, the device was
advertised in the Spanish underground and sold for the hefty price of $3,000.
Not all EMV technologies are created equal
Many people don’t realize that there are in fact two different generations of EMV technology.
Indeed, many financial organizations in South America are reliant on the first generation, which
is known as Static Data Authentication (SDA). Unfortunately, SDA renders cardholders
substantially more susceptible to skimming and cloning attacks. In many cases, due to
significant issuance costs, banks have decided to postpone the deployment of more
sophisticated and improved smart cards based on Dynamic Data Authentication (DDA) protocol,
which can cost up to five times more than SDA.
It is important to highlight, however, that criminals have yet to develop a reliable solution for
cloning compromised EMV smart cards utilizing DDA technology. Despite the recently
discovered skimmers, criminals are still left with a single option for decoding the stored data and
attempting to clone the information onto magstripe blanks. However, the latest antifraud
systems can quickly identify unauthorized swiped transactions for EMV-supported payment
cards, subsequently lowering the chances of a successful fraudulent purchase. As North
American financial institutions continue to phase out previously-issued magstripe cards, the
overall exposure to card-present fraud will inevitably decrease.
Threats on the horizon
We foresee that in the coming years, the most significant threats will not be related to the EMV
technology itself, but rather to the false sense of security it fosters in the minds of business
owners and the financial industry. Having blind faith in the supposed invulnerability of
technology can yield disastrous results. What we see time and time again is that once the level
of potential payoff reaches a tipping point of "too big not to steal," criminals always find a way to
rig the system.
As with any man-made technology, all it takes is an equally-intelligent person to find a solution.
Whoever finds the way to bypass smart card security could easily become a multi-millionaire
overnight. When the day comes that malicious actors find a loophole, organizations will likely be
completely unprepared to mitigate the threat.
8 Cyber Warnings E-Magazine November 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
