Chip-based credit and debit cards are perceived as being very good at fending off skimming attempts and malware attacks (opens in new tab). Being able to use your card by tapping it appears to be better than swiping it along the magnetic strip on a point of sale (opens in new tab) (POS) terminal. But rising numbers of malware attacks on merchants in the US suggest there are weaknesses whichever method you use.
Criminals are exploiting the built-in technology centered around the EMV, the technology originally developed by the three major card suppliers; Europay, Mastercard and Visa. Encryption methods used in EMVs has long been seen as a more secure way of keeping data safe, especially compared to cards armed with just a magnetic stripe.
However, because not all outlets in the US have chip card readers (opens in new tab), or due to the possibility of malfunctioning hardware, cards also still carry the magnetic stripe that can be used during transactions. This dual-functionality could be leaving merchants open to ‘shimming’ attacks, which can occur when a series of system cross-checks are being made during a transaction. These include checking the three-digit security code printed on the back of a card.
- Have a look at the best accounting software (opens in new tab)
- The best tax software (opens in new tab) around today
- Check out the best money transfer apps and services (opens in new tab)
While all chip-based cards carry much the same data as the magnetic stripe, there are key differences between them. Central to this is a component called an iCVV, or integrated circuit card verification vale. This so-called dynamic CVV found on an EMV chip is different from the regular CVV on a magnetic stripe and helps protect against the magnetic stripe data from being used to create fake magnetic stripe cards.
Magnetic stripe cards
Security issues can also arise if financial institutions haven’t set up their back-end systems as well as they could have.
Researchers at Cyber R&D Labs recently published a report (opens in new tab) illustrating how they tested 11 chip card setups from 10 different European and US banks. The results showed that it was possible to harvest data from four, resulting in the ability to produce working magnetic stripe cards that could be used for transactions.
Indications suggest that point of sale (opens in new tab) (POS) malware is being used by criminals to capture EMV transaction data. This is then being resold on the Dark Web (opens in new tab) allowing thieves to produce magnetic stripe variants of chip-based cards.
Visa also recently released a security alert highlighting the issue of compromised EMV chip-enabled POS terminals (opens in new tab). Malware variants included Alina POS, Dexter POS and TinyLoader. The alert issued a series of recommendations for merchants to follow in order to reduce the risk of exposure.
- We've also highlighted the best budgeting software
- Via: KrebsonSecurity (opens in new tab)