Chip-and-PIN technology has become the actual standard for in-person credit and debit-card transactions in the U.S. but a lack of merchant compliance means that cards are still being compromised in the millions.
Chip cards consisting of an embedded microprocessor that encrypts the card data is more secure when compared to magnetic stripe cards. They apply the EMV (Europay, MasterCard and Visa) standard, which is a global standard for chip cards’ that are compatible with point of sale (PoS) terminals. It is the default type of card when the major U.S. credit card issuers – Visa, MasterCard, American Express and Discover – decided to shift payment-card fraud liability to merchants in 2015, if they do not have an EMV payment system. The exception to this is gas stations which have time till 2020 to make the switch.
The massive Home Depot and Target data breaches also lead to the chip cards, when millions of payment-card information were compromised and demanded change.
A total of 60 million U.S. cards were compromised in the past 1 year according to a study by Gemini Advisory based on telemetry data collected from various Dark-Web source. Around 93% of these cards were EMV chip-enabled but the merchants continued to use mag stripes.
About 75 % or 45.8 million of records were stolen from in-person transactions. These were compromised through card-skimming malware and point-of-sale (POS) breaches at retailers, hotels and restaurants, etc.
Additional results show that the U.S. tops in the total amount of compromised EMV payment cards by a massive 37.3 million records. In the past 12 months, about 15.9 million compromised non-U.S. payment cards were posted for sale on the underground. They were split as 11.3 million card-not-present records and 4.6 million card-present records, and 4.3 million of them were EMV enabled. This indicates that the theft level of EMV-enabled card data in the US is 868 % higher than the rest of the world combined.
The reason for this state of affairs is the lack of U.S. merchant compliance as most of them still use the mag-stripe function at PoS terminals.
Gemini explained that at various merchant locations they ask their customers to swipe rather than use the chip-insert method thereby ignoring the EMV security features. In certain situations, the retailers are against migration to newer EMV technology because of the high cost of the equipment. In order to completely upgrade to the hardware and software of a POS terminal, the price would be several thousand dollars, which is difficult for small to medium size businesses, leaving them exposed to card-present fraud.
Financially motivated threat groups like the FIN7 gang tend to compromise merchant networks find their way to POS terminals and deploying POS malware. When the malware identifies a card’s track data, it is copied, encoded and then finally exfiltrated to a command and control server.
The card-present data is collected via a manual method by skimmer groups, who use custom made hardware known as “shimmers” to record and exfiltrate data from ATMs and POS systems. Shimmers sit between the chip on the card and the chip reader in the ATM or point-of-sale device record the data on the chip as it is read by the underlying machine.
If the EMV functionalities are not fully used, the track 1 and track 2 data stolen from the chip transaction can be encoded by the attacker onto any magnetic strip.
They also found that while most large U.S. merchants have fully transitioned to EMV, gas pump terminals and small or medium size businesses are becoming the main targets for cybercriminals.