Blog Post: Commentary on Rising EMV Fraud Rates

For how long is a technology really secure? In today’s security ecosystem, the expiration date of seemingly ‘secure’ technologies is growing ever shorter.

By Simon Gamble

Network security has always been a cat and mouse game. Vendors and security providers come up with new technologies, and fraudsters and criminals do their best to defeat them.

Europay, Mastercard and Visa (known as EMV) card chip technology has been the latest example. EMV has been an essential element in the worldwide fight against cybercrime, helping drop card fraud rates with an encrypted microchip and algorithm that helps protect cardholder data. But lately, questions have started to crop up regarding the ability of fraudsters to defeat EMV’s renown security features.

A bit about the technology: EMV works by embedding a microchip into payment cards that’s encoded with data that uniquely identifies the cardholder, in addition to an encryption algorithm with extra data used to validate card transactions. When you insert your card into a reader and the information is transmitted to the bank, the data is always encrypted and protected by an algorithm that keeps the information secret. Even if a fraudster were able to record the information from your card, without the correct algorithm to exploit the information, it would be useless to them.

Moreover, fraudsters would also need to create a new microchip embedded with your card data before they could use it.

This method is far more complex than the magnetic stripes found on many cards around the world, which rely on your account number stored directly on the back of the card. Magnetic stripe technology is nearly 60 years old now, and has long since been figured out by organized criminals. That’s why most regions of the world are moving to EMV and phasing out mag stripes entirely.

But chinks are beginning to show in the armor of EMV protection.

Cards with EMV microchips have helped reduce fraud, but recent reports indicate they may no longer be as secure.

Several years ago, researchers at Cambridge University were able to figure out a way around the EMV card security features and fool a payment terminal into accepting an invalid transaction (full research paper linked here). While an ingenious bit of technological mastery, their exploit was somewhat impractical; it necessitated a high degree of technical ability and has never been observed in use by criminals.

But a second set of Cambridge researchers flagged another security issue with EMV transactions last month that was more widespread, affecting hardware manufacturers that produce ATM machines, payment terminals and other devices used in the payment process. Every EMV transaction authorization is supposed to be generated with a random number included to validate the transaction, but the researchers found out that number wasn’t so random after all. In fact, it could be accurately predicted, and the team could set up a prearranged transaction with the correct number sequence.

Again, not a fatal flaw, and no one has been able to show an instance where EMV cards were successfully cracked or duplicated ‘in the wild’ this way.

Except that EMV fraud is happening – with surprising regularity.

The UK Financial Ombudsman Service tracks the number of complaints it receives for disputed fraud charges. According to the Daily Mail, the Ombudsman Service has seen a “30 percent jump in the number of complaints about refusal to pay out on card fraud, of which the vast majority are chip-and-pin (EMV) cases. Complaints are up to 70 a week – some 3,400 over the past 12 months.”

In one widely reported anecdote, a victim had their wallet pickpocketed and EMV-protected credit card stolen in Paris. The thieves started withdrawing cash only minutes later.

Now normally, the bank would refund the money a victim lost due to fraud, unless in case of ‘gross negligence’ – usually constituted by writing down your PIN number and keeping it with the card. The bank refused to refund the victim in this case on that basis; he must have had the PIN written down with the card, since the thieves were able to enter it successfully on the first try, according to bank records. Except for one thing: the man never used the card for a purchase before, and didn’t even know what the PIN was.

So how could the thieves determine the PIN? Where they able to crack the card? We may never know; all we can do is examine the evidence and take heed of the warning signs. But these incidents can reinforce one very basic lesson for us all: never rely on only one method of defense to provide security. EMV on its own is not the answer to the fight against fraudsters. Instead, a layered approach to security, incorporating redundant security methods and compliance with best practices like the Payment Card Industry Data Security Standards will afford the best protection.

Like this article? Watch our Delicious feed for the latest updates on worldwide security vulnerabilities and the latest technology news.