By Andrei Barysevich
Introduced by the financial industry in the early 2000s, EMV smart payment cards have largely supplanted magnetic stripe technology, and for good reason. Due to concerns surrounding insufficient security measures, usage of the once-ubiquitous “magstripe” payment cards has since sharply declined in most countries. The United States, however, continues to remain dependent on outdated technology.
Despite proven advantages shown to significantly lower — and in many cases, reverse — established levels of card-present fraud, the United States continues to lag behind on the implementation of EMV. This delay is largely attributed to the inherent costs and minimal incentives for banks to migrate from the outdated magnetic stripe infrastructure.
Payment fraud declining
As long as magstripe cards remain in use, their inherent security flaws will continue to render cardholders more susceptible to fraud. The problem is that magnetic strip technology stores payment information in plain text on the card’s magnetic stripe, which makes the cardholder’s financial information vulnerable to a variety of skimming techniques used to commit fraud. EMV technology, however, provides significantly stronger protection by encoding and storing the cardholder’s payment information on an integrated circuit embedded within the card.
Indeed, ever since the rollout of EMV smart cards, card-present fraud has been decreasing for the first time ever. Criminals are struggling to find workable solutions to bypass the implemented security controls, providing a needed reprieve for exhausted consumers and financial organizations. Despite the obvious advantages, however, many business owners remain hesitant to accept EMV smart payment cards. This is largely due to the complexity of the technology. Many are concerned that EVM’s significantly longer card processing time may inadvertently put customers’ at an increased risk of information theft and criminal targeting.
Cybercriminals adapt to EMV
Despite EVM’s implementation challenges, recent observations suggest a decline in the supply of stolen payment information being sold on the cybercriminal underground. Consequently, both demand and prices for such stolen information have significantly increased.
Alone, the destabilization of established supply and demand levels on the cybercriminal underground is a cause for concern. This disturbance will inevitably create a lucrative environment for attracting criminal syndicates with unlimited financial and technical resources to develop the technology to bypass EMV controls.
In fact, we recently discovered a next-generation EMV skimmer that is both small enough to fit inside a standard point of sale (PoS) terminal and able to store up to 5,000 records at one time. This device uses the terminal’s internal power supply and can be left inside indefinitely. To retrieve the skimmed information, criminals insert a special memory card that resembles a standard credit card into the PoS terminal.
Most notably, this skimmer comes equipped with decryption software. This enables criminals to de-obfuscate the encrypted payment information, which can later be copied and recorded onto a plain magstripe card. Though likely developed in one of the Baltic countries, the device was advertised in the Spanish underground and sold for the hefty price of $3,000.
Not all EMV technologies are created equal
Many people don’t realize that there are in fact two different generations of EMV technology. Indeed, many financial organizations in South America are reliant on the first generation, which is known as Static Data Authentication (SDA). Unfortunately, SDA renders cardholders substantially more susceptible to skimming and cloning attacks. In many cases, due to significant issuance costs, banks have decided to postpone the deployment of more sophisticated and improved smart cards based on Dynamic Data Authentication (DDA) protocol, which can cost up to five times more than SDA.
It is important to highlight, however, that criminals have yet to develop a reliable solution for cloning compromised EMV smart cards utilizing DDA technology. Despite the recently discovered skimmers, criminals are still left with a single option for decoding the stored data and attempting to clone the information onto magstripe blanks. However, the latest anti-fraud systems can quickly identify unauthorized swiped transactions for EMV-supported payment cards, subsequently lowering the chances of a successful fraudulent purchase. As North American financial institutions continue to phase out previously-issued magstripe cards, the overall exposure to card-present fraud will inevitably decrease.
Threats on the horizon
We foresee that in the coming years, the most significant threats will not be related to the EMV technology itself, but rather to the false sense of security it fosters in the minds of business owners and the financial industry. Having blind faith in the supposed invulnerability of technology can yield disastrous results. What we see time and time again is that once the level of potential payoff reaches a tipping point of “too big not to steal,” criminals always find a way to rig the system.
As with any man-made technology, all it takes is an equally-intelligent person to find a solution. Whoever finds the way to bypass smart card security could easily become a multi-millionaire overnight. When the day comes that malicious actors find a loophole, organizations will likely be completely unprepared to mitigate the threat.
Based on Flashpoint’s in-depth knowledge of the criminal underground, we have noticed a surprising level of consensus amongst cybercriminals that the latest generation of payment platforms, such as Apple Pay and Google Pay, have thus far proved to be highly robust and secure — far superior to EMV.
Recommendations
As much as we want to rely solely on banks to protect us from criminals, all of us can follow these simple recommendations to significantly lower the chances of compromise:
1) Always utilize robust alerting systems built within banking applications.
2) Activate pre-authorization and purchase notifications for amounts as small as $1. Criminals will often test stolen records on a cup of coffee before attempting to use it at the nearest Apple store. If you only receive alerts for large amounts, by the time you spot a fraudulent purchase and contact your bank, the criminals will be long gone and may have successfully spent hundreds, if not thousands, of your money.
3) Never use your debit card for any online or in-store purchases. If the card is compromised, it will be a painfully long process to get the money reimbursed by a bank. In some cases, if funds are stolen using a PIN number, some banks may not reimburse you at all. Considering monthly mortgage and loan payments among others, many people don’t have the luxury of losing access to their funds.
4) If possible, use a separate credit card for all commercial purchases. The compromise of a credit card will not affect you financially while the bank investigates the theft. If you are absolutely against credit cards and adhere to strict financial practices, open up a separate bank account and only maintain a balance sufficient to cover your average monthly expenses, thus limiting the exposure to your main bank account.
About the Author
Andrei Barysevich is the Director of Advanced Collection at Recorded Future. He specializes in threat intelligence on highly restrictive criminal communities and he oversees proactive intelligence operations. A native Russian speaker, Andrei was previously an independent e-commerce fraud researcher and a private consultant for the FBI’s New York Cybercrime field office. Andrei’s work and commentary have been featured in The Wall Street Journal, Motherboard, The Atlantic, and numerous other publications. For the past 13 years, he has been involved in multiple high-profile international cases resulting in successful convictions of members of crime syndicates operating global reshipping, money laundering, and bank fraud schemes.