Chip Card Fraud: Are You At Risk?

The recent shift to chip-based cards has got everybody thinking about fraud, so perhaps now is a good time to go over the types of fraud that you should be on the lookout for as a business owner. The good news is, in every other country where chip-and-PIN cards have been introduced, card-present fraud has dramatically declined. Unfortunately, we haven’t quite made it to chip-and-PIN cards yet, and (as you’ll see) fraudsters are very, very resourceful. America has arrived late to the EMV game, so many smart card workarounds have already been invented. Now it’s time for us to play catch up.

There are many different types of fraud that could hurt your business–some old, and some new. Since magstripes are still around, we can’t forget about the classic methods of fraud, but you also need to be on the lookout for new methods as well. Ready? Let’s begin!

Fake/Doctored Cards

Doctored cards are pre-existing cards that have the magstripe data and the details on the card face altered (through the use of electro-magnets). When the card is swiped, it will come up with an error and force the merchant to key in details manually. Fake cards are essentially the same, but they start from scratch instead of using a pre-existing card.

This is a pretty primitive method of fraud. It’s also going out of style due to the increased complexity of credit card designs which, crazily enough, are there to combat this type of forgery. But hey–who knows? It could still happen.

Skimming

This method involves using reprogrammed technology to collect information off of people’s cards, or using cameras to record the victim’s PINs. Often, this trick is pulled off at unstaffed ATMs or gas stations–the fraudster will plant a fake card swiper to pick up numbers from a magstripe, and a camera or device placed in the keypad to record the PIN. However, it can also be done within businesses as well: POS terminals can be altered to record card data and PINs, or employees can use small cardswipes to pick up the data when the card is removed from the customer’s sight (such as in a restaurant).

The skimmed magstripe data can then be copied onto another card and used with any swiper. Keep in mind that despite the emergence of EMV machines, fraudsters can still pull this off by disabling the chip in a chipped card so that merchants have to fallback on swiping.

I would highly recommend checking out this website, which has pictures of skimming technology. Unfortunately, skimmers are often difficult to spot because they are just re-purposed POS equipment. Paranoid yet?

Those who don’t learn from history, etc. etc. A warning:

While EMV technology is still in its infancy, we might have a mini-version of the UK’s cross-border problem on our hands: when the UK switched over to EMV, fraudsters stole UK citizen’s magstripe data and used it in the United States where magstripes were prevalent. In the same way, stores that don’t have EMV readers might be at risk because they’re an easier target than those with the new machines.

Skimming Redux: the Tapping Attack

If you thought we wouldn’t have to worry about skimming anymore once chip cards become more prevalent, think again. Essentially, the tapping attack is a form of skimming that requires chipped cards. Remember how chip cards are ultra-secure because the data is encrypted? Turns out some of the information, like the customer’s PIN, isn’t encrypted when a terminal is talking to certain types of chip cards (meaning, those types of chip cards where the issuer didn’t invest in more expensive forms of cryptography). With the information skimmed from this attack, the fraudster has enough data to make a functional magstripe-and-PIN card, or has the ability to access the PIN on a stolen card.

Lost or Stolen Cards

This is the easy one: shady individuals will steal cards to use the cards for their own purposes. There are some very clever ways to get hold of stolen cards, such as the Courier Scam: a person pretending to be from your bank calls and claims your card has been compromised, so they need you to mail your card and PIN back to your bank. They then hire a mail person to collect your envelope, who gives it to the fraudsters instead of the bank. Credit cards can also be obtained through the mail before they’re delivered, from pick-pocketing, or from misplaced cards, among other means.

Fraudsters have many methods available, such as the last two in this list, to use stolen cards for their own gain.

Signature Foraging

I don’t think that I need to spend a whole lot of time on this one because I already have: the signature on a stolen chip-and-signature card, or on a chip-and-PIN card used with a terminal only enabled for signatures, can easily be foraged.

Fake/Stolen Card Combo

This is the forged card’s more intelligent sibling. There are a few different attacks (that we know of) that use fake cards, but I’m lumping them together because if you’re a business owner, it doesn’t matter what sort of trick a fraudster is pulling–you just have to be on the lookout for fake cards.

The first, the Wedge Attack, was discovered by Cambridge University researchers in 2010. They figured out that if somebody gets a hold of a stolen card, they could use a man-in-the-middle device to convince the terminal that a PIN was entered while simultaneously convincing the card that the transaction was verified by signature. In order for it to work, the real card is attached to the man-in-the-middle device, and the fraudster inserts a fake card into the terminal. During the transaction, the fraudster could enter any PIN and the transaction would still go through.

The Relay Attack, also discovered by Cambridge University researchers, is quite ingenious: the customer puts their real card into a tampered-with POS terminal to make a payment. Instead of the information transmitting to the bank, it’s transmitted to another man-in-the-middle device, which is held by a shady individual (Fraudster B) in another store. Fraudster B then uses the information transmitted from the fake terminal to make a different purchase with a fake card at the second store. The customer thinks they’re paying, say, $5 for a coffee, but their account was actually charged $400 for a computer.

The fake cards used by the Cambridge researchers were wired to the man-in-the-middle device (see the above link for a picture), but they think it would be possible to make wireless cards and small, covert man-in-the-middle devices. It is unknown at this point whether the flaws in the EMV technology that make the Wedge and Relay attacks possible have been fixed. Regardless, EMV technology is very complicated and it’s difficult to close all the doors. Even if those attacks don’t work, somebody less honest than the people at Cambridge will likely find one that does sooner or later.

What You Can Do

The very best thing to do, if you haven’t already, is to invest in new EMV terminals. You should also become familiar with your rights when it comes to liability and the new chip card technology. Above all else: be vigilant–check those signature cards, keep an eye out for any suspicious goings on in your place of business (by both employees and customers), don’t leave terminals unattended, regularly examine terminals to ensure they haven’t been tampered with, and get a good look at customer’s cards to make sure they’re genuine.

Although EMV technology is not completely fraud proof, it is a whole lot better than what we were using before. For now, as we’ve seen in other countries, we can expect a lot of fraud to move to the less-secure card-not-present line of attack (which is a whole other article in itself).

Regardless of how often fraud happens, it only takes one attack to ruin somebody’s day–take some steps to ensure that it isn’t yours.