Chip-and-PIN technology has become the de-facto standard for in-person credit- and debit-card transactions in the U.S. – but a lack of merchant compliance means that cards are still being compromised in the millions.
Chip cards, which contain an embedded microprocessor that encrypts the card data, are a more secure alternative to magnetic stripe cards, in theory. They also implement the EMV standard, which stands for Europay, MasterCard and Visa, and is a global standard for chip cards’ compatibility with point of sale (PoS) terminals. They became the default type of card when the four major U.S. credit card issuers – Visa, MasterCard, American Express and Discover – decided to shift payment-card fraud liability to merchants in 2015, if they do not have an EMV payment system. The only exception to this is gas stations, which have until 2020 to make the switch (owing to the expense related to swapping out gas pumps).
The massive Home Depot and Target data breaches also gave wings to chip cards, after millions of Americans saw their payment-card information compromised and demanded change.
The counterintuitive reality, according to a study from Gemini Advisory based on telemetry data collected from various Dark-Web sources, is that 60 million U.S. cards were compromised in the past 12 months. Of those, 93 percent were EMV chip-enabled.
Also, crucially, 75 percent, or 45.8 million, were records stolen from in-person transactions (“card-present” in the industry parlance). These were likely compromised through card-skimming malware and point-of-sale (POS) breaches at establishments like retailers, hotels and restaurants, the likes of which continue to make headlines. Both Chili’s and Cheddar’s Scratch Kitchen, for instance, were bitten by payment-card data breaches earlier this year.
In the past 12 months, about 15.9 million compromised non-U.S. payment cards were posted for sale on the underground, split between 11.3 million card-not-present (online transaction) records and 4.6 million card-present records, of which 4.3 million were EMV enabled. This means that the theft level of EMV-enabled card data in the US is 868 percent higher than the rest of the world combined.
The reason for this state of affairs, according to Gemini, is the lack of U.S. merchant compliance—too many of them still use the mag-stripe function at PoS terminals.
“There are numerous merchant locations that are still asking their customers to swipe rather than use the chip-insert method, thus completely neglecting the EMV security features,” explained Gemini, in its report. “In some cases, retailers are opposing migration to newer EMV technology because of the inherent high cost of the equipment. To fully upgrade the hardware and software of a POS terminal, the price tag could be upward of several thousand dollars, which is often a pricy burden for small to medium size businesses, leaving them exposed to card-present fraud.”
Financially motivated threat groups like the notorious FIN7 gang tend to compromise merchant networks, finding their way to POS terminals and deploying POS malware. Once the malware identifies a card’s track data, it is copied, encoded and then finally exfiltrated to a command and control server (C2).
Gemini also said that card-present data “is also collected via a more manual method by skimmer groups, who are utilizing custom made hardware known as “shimmers” to record and exfiltrate data from ATMs and POS systems. Shimmers sit between the chip on the card and the chip reader in the ATM or point-of-sale device, recording the data on the chip as it is read by the underlying machine.”
If the EMV functionalities are not fully deployed, the track 1 and track 2 data stolen from the chip transaction can be easily encoded by the fraudster onto any magnetic strip.
The firm also found that while most large U.S. merchants have fully transitioned to EMV, gas pump terminals and small/medium size businesses are emerging as the main targets for cybercriminals going forward.
“Because Gemini Advisory believes that criminal groups will always sway to the path of least resistance, we predict that financially motivated threat groups … will be more likely to turn their resources onto small to medium-sized businesses with 10-50 locations,” the firm said. “Since such businesses are less likely to have fully implemented the EMV transition, criminals would be able to rely on their current TTPS for card data exfiltration.”