U.S. Chip Cards Are Being Compromised in the Millions

A full 60 million U.S. cards were compromised in the past 12 months. While 93 percent of those were EMV chip-enabled, merchants continued to use mag stripes.

Chip-and-PIN technology has become the de-facto standard for in-person credit- and debit-card transactions in the U.S. – but a lack of merchant compliance means that cards are still being compromised in the millions.

Chip cards, which contain an embedded microprocessor that encrypts the card data, are a more secure alternative to magnetic stripe cards, in theory. They also implement the EMV standard, which stands for Europay, MasterCard and Visa, and is a global standard for chip cards’ compatibility with point of sale (PoS) terminals. They became the default type of card when the four major U.S. credit card issuers – Visa, MasterCard, American Express and Discover – decided to shift payment-card fraud liability to merchants in 2015, if they do not have an EMV payment system. The only exception to this is gas stations, which have until 2020 to make the switch (owing to the expense related to swapping out gas pumps).

The massive Home Depot and Target data breaches also gave wings to chip cards, after millions of Americans saw their payment-card information compromised and demanded change.

The counterintuitive reality, according to a study from Gemini Advisory based on telemetry data collected from various Dark-Web sources, is that 60 million U.S. cards were compromised in the past 12 months. Of those, 93 percent were EMV chip-enabled.

Also, crucially, 75 percent, or 45.8 million, were records stolen from in-person transactions (“card-present” in the industry parlance). These were likely compromised through card-skimming malware and point-of-sale (POS) breaches at establishments like retailers, hotels and restaurants, the likes of which continue to make headlines. Both Chili’s and Cheddar’s Scratch Kitchen, for instance, were bitten by payment-card data breaches earlier this year.

Further results show that the U.S. leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records.

In the past 12 months, about 15.9 million compromised non-U.S. payment cards were posted for sale on the underground, split between 11.3 million card-not-present (online transaction) records and 4.6 million card-present records, of which 4.3 million were EMV enabled. This means that the theft level of EMV-enabled card data in the US is 868 percent higher than the rest of the world combined.

The reason for this state of affairs, according to Gemini, is the lack of U.S. merchant compliance—too many of them still use the mag-stripe function at PoS terminals.

“There are numerous merchant locations that are still asking their customers to swipe rather than use the chip-insert method, thus completely neglecting the EMV security features,” explained Gemini, in its report. “In some cases, retailers are opposing migration to newer EMV technology because of the inherent high cost of the equipment. To fully upgrade the hardware and software of a POS terminal, the price tag could be upward of several thousand dollars, which is often a pricy burden for small to medium size businesses, leaving them exposed to card-present fraud.”

Financially motivated threat groups like the notorious FIN7 gang tend to compromise merchant networks, finding their way to POS terminals and deploying POS malware. Once the malware identifies a card’s track data, it is copied, encoded and then finally exfiltrated to a command and control server (C2).

Gemini also said that card-present data “is also collected via a more manual method by skimmer groups, who are utilizing custom made hardware known as “shimmers” to record and exfiltrate data from ATMs and POS systems. Shimmers sit between the chip on the card and the chip reader in the ATM or point-of-sale device, recording the data on the chip as it is read by the underlying machine.”

If the EMV functionalities are not fully deployed, the track 1 and track 2 data stolen from the chip transaction can be easily encoded by the fraudster onto any magnetic strip.

The firm also found that while most large U.S. merchants have fully transitioned to EMV, gas pump terminals and small/medium size businesses are emerging as the main targets for cybercriminals going forward.

“Because Gemini Advisory believes that criminal groups will always sway to the path of least resistance, we predict that financially motivated threat groups … will be more likely to turn their resources onto small to medium-sized businesses with 10-50 locations,” the firm said. “Since such businesses are less likely to have fully implemented the EMV transition, criminals would be able to rely on their current TTPS for card data exfiltration.”



Suggested articles


  • Dennis on

    I'm not aware of any card issuers in the US that activated Chip & PIN, were there any? It was my understanding that Chip & Signature became the norm because the card issuers didn't think the average person in the US could remember another PIN.
  • Joseph Marino on

    Yes, Dennis, the US card issuers did not, and still do not, require the use of a pin with the EMV chip enabled credit cards. Possession is king, allowing anyone to use anyone else's embedded chip credit card in person (card present). Best part is, maby businesses don't even request signatures for purchases below a given dollar value (around $50, but varies by business).
  • John on

    Dennis is correct, only a few offer true chip and pin and most of them have pin as secondary to signature.
  • Anthony K Wikrent on

    Not only are EMV payment system orders of magnitude more costly, they also double or triple the transaction time. And, the buyer has to leave the card in the system, often forgetting to take it out after the transaction. There is no improvement or benefit from EMV payment systems except to the god damn banks and credit card companies, Another systemic FAIL by the powers that be. And the banksters wonder why political populism is on the rise?!
  • Alex CV on

    That's BS. On a modern EMV terminal (in Canada...) The pin validation is as fast or faster than the approval on a signature. When using the "tap" feature it's much faster (typically < 2 seconds per transaction.)
  • Anonymous on

    Agree w/ CV. I’ve used them in Canada and Europe and found it to be just as fast. Compromise rates in those countries are MUCH lower than in the USA.
  • Khürt Williams on

    I'm not surprised. If the issuing banks (the same folks who created PCI-DSS) really cared about improving security EMV cards would have no mag stripe and the card readers would default to requesting a PIN. Security once again loses to convenience. Paying with my phone (fingerprint/facial scan) is safer in comparison.
  • No Spam on

    The biggest exfiltration vector is the servers connected to the Internet, not the point of sale.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.