Theoretical technique to abuse EMV cards detected used in the real world
Two weeks ago, ZDNet reported on the results of a very interesting experiment that analyzed how banks implemented EMV (chip) cards on their networks.
In the experiment, researchers from Cyber R&D Lab signed up for EMV (chip) cards at 11 banks from the US, the UK, and the EU.
The research team then used tools similar to the ones used by criminal gangs to copy the information stored on EMV cards and their magnetic stripes.
Researchers took the data from the EMV card and created a magnetic stripe version of the same card, but without the actual chip.
This is possible because all EMV cards also come with a magnetic stripe, for fallback purposes, in case the user travels abroad to non-EMV countries, or has to use an older point-of-sale terminal.
The fact that you could create a magstripe version from EMV cards has been known since 2008; however, fears that it could be abused have been dismissed, as banks expected to move all users to EMV cards and eliminate magstripe cards from the market altogther.
But until that happened and all magstripe versions were removed, banks were supposed to follow a series of security checks before approving inter-technology payments.
This hasn't happened, however, and the loophole first described in 2008 has remained. Case and point, the Cyber R&D Labs experiment, during which researchers said they were able to make valid transactions using four of the EMV-to-magstripe cloned cards.
Researchers blamed banks for failing to follow security checks when approving transactions. However, two weeks ago, the issue was thought to have remained a theoretical problem only.
More than a theoretical threat
But in a report published yesterday, security firm Gemini Advisory said it tracked down two instances on cybercrime forums where hackers had collected EMV card data and were offering it for sale.
This included EMV card data stolen from US supermarket chain Key Food Stores Co-Operative Inc. and US wine and liquor store Mega Package Store, Gemini said.
Furthermore, a Visa alert [PDF] sent out this month also seems to confirm that criminals are now targeting EMV card data. Visa said that that POS malware strains like Alina POS, Dexter POS, and TinyLoader had been updated to collect EMV card data, something they hadn't done before, primarily because the data couldn't be monetized.
Gemini says that both of these incidents -- the ads posted on cybercrime forums and the Visa alert -- suggest that hackers have figured out they could abuse EMV card data.
Gemini now believes that the method criminals are using is the one described many years ago, and the subject of Cyber R&D Labs' recent research -- a method they named EMV-Bypass Cloning.
Blocking this type of fraud should be easy, though, as banks only need to implement more thorough checks when processing magstripe transactions from cards previously associated with EMV technology.
As the Cyber R&D Labs research showed, some banks do, but some do not.