For years, security researchers and cybercriminals have hacked ATMs by using all possible avenues to their innards, from opening a front panel and sticking a thumb drive into a USB port to drilling a hole that exposes internal wiring. Now one researcher has found a collection of bugs that allow him to hack ATMs—along with a wide variety of point-of-sale terminals—in a new way: with a wave of his phone over a contactless credit card reader.
Josep Rodriguez, a researcher and consultant at security firm IOActive, has spent the last year digging up and reporting vulnerabilities in the so-called near-field communications reader chips used in millions of ATMs and point-of-sale systems worldwide. NFC systems are what let you wave a credit card over a reader—rather than swipe or insert it—to make a payment or extract money from a cash machine. You can find them on countless retail store and restaurant counters, vending machines, taxis, and parking meters around the globe.
Now Rodriguez has built an Android app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems' firmware. With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message. Rodriguez says he can even force at least one brand of ATMs to dispense cash—though that "jackpotting" hack only works in combination with additional bugs he says he's found in the ATMs' software. He declined to specify or disclose those flaws publicly due to nondisclosure agreements with the ATM vendors.
"You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you're paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here," says Rodriguez of the point-of-sale attacks he discovered. "If you chain the attack and also send a special payload to an ATM's computer, you can jackpot the ATM—like cash out, just by tapping your phone."
Rodriguez says he alerted the affected vendors—which include ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and the unnamed ATM vendor—to his findings between 7 months and a year ago. Even so, he warns that the sheer number of affected systems and the fact that many point-of-sale terminals and ATMs don't regularly receive software updates—and in many cases require physical access to update—mean that many of those devices likely remain vulnerable. "Patching so many hundreds of thousands of ATMs physically, it's something that would require a lot of time," Rodriguez says.
As a demonstration of those lingering vulnerabilities, Rodriguez shared a video with WIRED in which he waves a smartphone over the NFC reader of an ATM on the street in Madrid, where he lives, and causes the machine to display an error message. The NFC reader appears to crash, and no longer reads his credit card when he next touches it to the machine. (Rodriguez asked that WIRED not publish the video for fear of legal liability. He also didn't provide a video demo of a jackpotting attack because, he says, he could only legally test it on machines obtained as part of IOActive's security consulting to the affected ATM vendor, with whom IOActive has signed an NDA.)
The findings are "excellent research into the vulnerability of software running on embedded devices," says Karsten Nohl, the founder of security firm SRLabs and a well-known firmware hacker, who reviewed Rodriguez's work. But Nohl points to a few drawbacks that reduce its practicality for real-world thieves. A hacked NFC reader would only be able to steal mag-stripe credit card data, not the victim's PIN or the data from EMV chips. And the fact that the ATM cashout trick would require an extra, distinct vulnerability in a target ATM's code is no small caveat, Nohl says.
But security researchers like the late IOActive hacker Barnaby Jack and the team at Red Balloon Security have been able to uncover those ATM vulnerabilities for years, and have even shown that hackers can remotely trigger ATM jackpotting remotely. Red Balloon CEO and chief scientist Ang Cui says that he's impressed by Rodriguez's findings and has little doubt that hacking the NFC reader could lead to dispensing cash in many modern ATMs, despite IOActive withholding some details of its attack. "I think it's very plausible that once you have code execution on any of these devices, you should be able to get right to the main controller, because that thing is full of vulnerabilities that haven't been fixed for over a decade," Cui says. "From there," he adds, "you can absolutely control the cassette dispenser" that holds and releases cash to users.
Rodriguez, who has spent years testing the security of ATMs as a consultant, says he began exploring a year ago whether ATMs' contactless card readers—most often sold by the payment technology firm ID Tech—could serve as an in-road to hacking them. He began buying NFC readers and point-of-sale devices from eBay, and soon discovered that many of them suffered from the same security flaw: They didn't validate the size of the data packet sent via NFC from a credit card to the reader, known as an application protocol data unit or APDU.
By using a custom app to send a carefully crafted APDU from his NFC-enabled Android phone that's hundreds of times larger than the reader expects, Rodriguez was able to trigger a "buffer overflow," a decades-old type of software vulnerability that allows a hacker to corrupt a target device's memory and run their own code.
When WIRED reached out to the affected companies, ID Tech, BBPOS, and Nexgo didn't respond to requests for comment, and the ATM Industry Association declined to comment. Ingenico responded in a statement that due to its security mitigations, Rodriguez's buffer overflow technique could only crash its devices, not gain code execution on them, but that, "considering the inconvenience and the impact for our customers," it issued a fix anyway. (Rodriguez counters that he's doubtful that Ingenico's mitigations would actually prevent code execution, but he hasn't actually created a proof of concept to demonstrate this.)
Verifone, for its part, said that it had found and fixed the point-of-sale vulnerabilities Rodriguez highlighted in 2018, long before he had reported them. But Rodriguez argues that this only demonstrates the lack of consistent patching in the company's devices; he says he tested his NFC techniques on a Verifone device in a restaurant last year and found that it remained vulnerable.
After keeping many of his findings under wraps for a full year, Rodriguez plans to share the technical details of the vulnerabilities in a webinar in the coming weeks, in part to push customers of the affected vendors to implement the patches that the companies have made available. But he also wants to call attention to the abysmal state of embedded device security more broadly. He was shocked to find that vulnerabilities as simple as buffer overflows have lingered in so many commonly used devices—ones that handle cash and sensitive financial information, no less.
"These vulnerabilities have been present in firmware for years, and we’re using these devices daily to handle our credit cards, our money," he says. "They need to be secured."
More Great WIRED Stories
How to withdraw up to $50,000 in cash from an ATM by using data stolen from EMV cards
Researchers have demonstrated how crooks can make ATMs spit out thousands of dollars in cash in just a few minutes by using data stolen from EMV cards.
When the EMV (Europay, MasterCard, and Visa) was introduced, the vast majority of security experts believed solved the problems caused by easy to clone magnetic stripe cards.
EMV chip-equipped cards implement an extra layer of security which makes these cards secure than the magnetic stripe cards.
In reality, also Chip-and-PIN cards are not so complicated to hack, this is what a group of researchers from Rapid7 demonstrated at the Black Hat USA 2016 conference. The group of experts have demonstrated how crooks can withdraw up to $50,000 in cash from an ATM in America in under 15 minutes.
Simple modifications to equipment would allow attackers to bypass the Chip-and-PIN protections as explained in the paper published by the team and titled “Hacking Next-Gen ATMs: From Capture to Washout.”. The team of researchers was able to show the audience an ATM spitting out hundreds of dollars in cash.
The presentation made by the researchers was spectacular, the hacker demonstrated the hack by forcing an ATM spit out hundreds of dollars in cash.
In a first phase of the attack, fraudsters mount a small Shimmer to the ATM card reader in order to carry on a man-in-the-middle (MITM).
The shimmer is a skimming device for EMV cards, is a RaspBerry-Pi-powered device that could be installed outside of the ATM without access to the internals of the cash machine.
The shimmer sits between the card chip and the card reader in the ATM, it is able to record the data on the chip, including the PIN, when the ATM reads it. In this phase, once captured the data, the device transmits it to the attackers. In the second half of the attack, fraudsters use a smartphone to received the stolen card data and recreate the victim’s card in an ATM to instructing the machine to eject cash.
The data is remotely sent to another device, which researchers have dubbed “La-Cara.”
La-Cara that could be assembled with $2,000 components is placed on an ATM machine, is emulates the presence of the EMV card inserted into the card slot. The data stolen by the shimmer are remotely sent to the La-Cara device which instruct the ATM to withdraw money from the card.
“The modifications on the ATM are on the outside,” Tod Beardsley, a security research manager for Rapid7, told the BBC.
“I don’t have to open it up. It’s really just a card that is capable of impersonating a chip. It’s not cloning.”
“It’s really just a card that is capable of impersonating a chip,” Beardsley added. “It’s not cloning.”
The device is easy to install, crooks can mount it quickly outside of the ATM without access to the internals of the cash machine.
Watch out, data used in the EMV to enable transactions are dynamic, this means that crooks can use them only for a very short period of time (e.g. up to one minute). This means that fraudsters have to complete the operations is a short time.
Researchers from Rapid 7, have already reported the details about the hack to banks and major ATM manufacturers.
(Security Affairs – EMV cards, hacking)
This ATM Hack Allows Crooks to Steal Money From Chip-and-Pin Cards
It took researchers just a simple chip and pin hack to withdraw up to $50,000 in cash from an ATM in America in under 15 minutes.
We have been told that EMV (Europay, MasterCard and Visa) chip-equipped cards provides an extra layer of security which makes these cards more secure and harder to clone than the old magnetic stripe cards.
But, it turns out to be just a myth.
A team of security engineers from Rapid7 at Black Hat USA 2016 conference in Las Vegas demonstrated how a small and simple modifications to equipment would be enough for attackers to bypass the Chip-and-PIN protections and enable unauthorized transactions.
The demonstration was part of their presentation titled, "Hacking Next-Gen ATMs: From Capture to Washout," [PDF]. The team of researchers was able to show the audience an ATM spitting out hundreds of dollars in cash.
Here's How the Hack Work
The hack requires two processes to be performed.
First, the criminals need to add a small device known as a Shimmer to a point-of-sale (POS) machine (here, ATM's card reader) in order to pull off a man-in-the-middle (MITM) attack against an ATM.
The shimmer sits between the victim's chip and the card reader in the ATM and can record the data on the chip, including PIN, as the ATM reads it. It then transmits this data to the criminals.
The criminals then use a smartphone to download this stolen data and recreate the victim's card in an ATM, instructing it to eject cash constantly.
Tod Beardsley, a security research manager for Rapid7, told the BBC that shimmer is basically a tiny RaspBerry-Pi-powered device that could be installed quickly to the outside of the ATM without access to the internals of the cash machine.
"It's really just a card that is capable of impersonating a chip," Beardsley said. "It's not cloning."The perpetrators would only be able to replicate each card for a few minutes and use it to fraudulently withdraw money, enabling them to make between up to $50,000, but Beardsley suggests that a network of hacked chip-and-pin machines could create a constant stream of victims.
Researchers have disclosed full details about the issue in Chip-and-PIN ATMs to banks and major ATM manufacturers and said they hope the institutions (currently unnamed) are examining the issue.
One of many ways that Americans are ridiculed by the rest of the world is that they don’t have chip and PIN on their credit cards yet; US credit card companies have been slow to bring this technology to millions of POS terminals across the country. Making the transition isn’t easy because until the transition is complete, the machines have to accept both magnetic stripes and chip and PIN.
This device can disable chip and PIN, wirelessly, by forcing the downgrade to magstripe. [Samy Kamkar] created the MagSpoof to explore the binary patterns on the magnetic stripe of his AmEx card, and in the process also created a device that works with drivers licenses, hotel room keys, and parking meters.
The electronics for the MagSpoof are incredibly simple. Of course a small microcontroller is necessary for this build, and for the MagSpoof, [Samy] used the ATtiny85 for the ‘larger’ version (still less than an inch square). A smaller, credit card-sized version used an ATtiny10. The rest of the schematic is just an H-bridge and a coil of magnet wire – easy enough for anyone with a soldering iron to put together on some perfboard.
By pulsing the H-bridge and energizing the coil of wire, the MagSpoof emulates the swipe of a credit card – it’s all just magnetic fields reversing direction in a very particular pattern. Since the magnetic pattern on any credit card can be easily read, and [Samy] demonstrates that this is possible with some rust and the naked eye anyway, it’s a simple matter to clone a card by building some electronics.
[Samy] didn’t stop there, though. By turning off the bits that state that the card has a chip onboard, his device can bypass the chip and PIN protection. If you’re very careful with a magnetized needle, you could disable the chip and PIN protection on any credit card. [Samy]’s device doesn’t need that degree of dexterity – he can just flip a bit in the firmware for the MagSpoof. It’s all brilliant work, and although the code for the chip and PIN defeat isn’t included in the repo, the documents that show how that can be done exist.
[Samy]’s implementation is very neat, but it stands on the shoulders of giants. In particular, we’ve covered similar devices before (here and here, for instance) and everything that you’ll need for this hack except for the chip-and-PIN-downgrade attack are covered in [Count Zero]’s classic 1992 “A Day in the Life of a Flux Reversal“.
Thanks [toru] for sending this one in. [Samy]’s video is available below.
At bypass atm chip
Almost every credit card issued in the U.S. is equipped with EMV technology. If you need an EMV card with Chip-and-PIN capability in particular, check out our list of card issuers that offer Chip-and-PIN cards.
What Is EMV Technology?
EMV is a security standard for storing account information on credit cards. It’s an alternative to the magnetic stripe (mag stripe) that has traditionally been used to store information on the backs of cards in the United States.
EMV stands for “Europay, Mastercard, and Visa,” the three companies who began this initiative. It’s a more secure way to store information, providing better protection against some forms of credit card fraud than the older mag stripe, because it can’t be as easily “skimmed” by fake credit card readers.
There are two main types of EMV credit card technology: Chip-and-Signature and Chip-and-PIN. The signature function requires a signature to verify transactions, just like credit cards traditionally have in the past. The PIN function requires a four-digit PIN, just like a debit card.
Today, every chip credit card you get in the U.S. will use Chip-and-Signature technology, in addition to having a magnetic stripe on the back. Some cards also include the Chip-and-PIN function, so they’re more compatible overseas and more secure in the U.S.
There’s much more to EMV technology. But in most cases, especially if you’ll just be using your card in the U.S., you don’t need to worry about anything other than how to make purchases with your EMV card.
If you’re planning to travel outside the U.S., in Canada or Europe, you should probably have a Chip-and-PIN credit card. Although many payment terminals will accept Chip-and-Signature, in some cases you might need a PIN card, like at unattended kiosks and train ticket machines. Be sure to get one that has no foreign transaction fees as well, so you don’t have to pay extra for every purchase.
All About EMV Chip Cards
How Do EMV Chip Cards Work?
When you make a purchase with a credit card, the terminal needs to verify that you’re the one who’s actually using the card.
This verification is usually done with a signature in the U.S., and sometimes with a PIN in other countries. The merchant may waive the verification requirement, especially for small purchases.
The chip and the terminal work together to create a unique, encrypted code, called a token or cryptogram. This token is unique to the specific transaction taking place, and will only be used that one time. This number is created from information in the chip combined with information in the terminal, but using instructions contained only in the chip.
This is a dynamic number, meaning it will be different for every transaction. It’s useless outside of that one transaction, and if anyone were able to copy it he or she wouldn’t be able to use it to make purchases with the card. That’s in contrast to the static information contained in a mag stripe, which is always there on your card and able to be copied.
Next, this token needs to be decoded to verify that it came from your card’s chip. To do this, it will either be sent to the card issuer over the internet (known as online verification) or it will be verified within the terminal itself (known as offline verification). Transactions with offline verification will be processed more quickly because they don’t require the online check.
After the token is verified, and the system determines that you have enough available credit on your card, the purchase will be approved.
What’s the Difference Between Chip-and-Signature and Chip-and-PIN?
Chip-and-Signature and Chip-and-PIN are two different Card Verification Modes (CVMs). CVMs are used when making purchases with credit cards, to verify that the real accountholder is using the card and not a fraudster.
Simply put, signature cards will require a signature to verify the transaction, while PIN cards will require a PIN.
The PIN verification mode is more secure than the signature verification mode, of course. Anyone could forge a signature, and most cashiers never even check to see if your signature matches the one on your card. A PIN can’t be so easily duplicated.
Can a Card Be Both Chip-And-Signature and Chip-And-PIN?
Yes, a credit card can have both Chip-and-Signature and Chip-and-PIN capability. Most cards issued in the U.S. are Chip-and-Signature, while some also have PIN functionality (and some cards still only have mag stripes). The credit card issuer determines the features of the card.
If a card has both signature and PIN capability, it will be set to prefer either one or the other. This is called “signature-preferred” or “signature-priority” in the first case, and “PIN-preferred” or “PIN-priority” in the second.
Most cards that have both functions are signature-priority. But a few are PIN-priority, like the Diners Club cards, some cards from credit unions like UNFCU and First Tech Federal Credit Union, and some store cards like the Target REDCard. In some cases you can set the priority yourself.
When traveling outside the U.S., people generally prefer PIN-priority cards because that’s the norm for most merchants. Some merchants in other countries are less familiar with the signature verification method, and transactions could end up taking much longer.
You can still typically get by in other countries with signature-priority cards, because most point-of-sale terminals can process either signature or PIN verification modes. But in some cases you might have a hard time using unattended self-checkout terminals and kiosks, which might not accept signatures.
When you make a purchase with your chip card by inserting or dipping it into the terminal, it will tell you the verification method required. You can then just follow the instructions it provides.
Why Does My Chip Card Still Have a Magnetic Stripe?
The switchover to EMV technology began years ago and it won’t finish for several more years still, at least.
Although liability for card fraud falls upon the least-EMV compliant party in most cases, some merchants still use terminals that only accept magnetic stripe cards. This is their choice, and it might currently be the right move for them given their finances and business needs.
The major credit card networks gave all U.S. merchants a set timeline for this shift in fraud liability, giving them several years to install chip-enabled terminals. Automated gas pumps are last, with a deadline for compliance of October 2020.
So credit cards in the U.S. will have mag stripes for many more years to come. There’s no telling when we may see cards issued without them.
What Are the Advantages of EMV Cards Over Traditional Cards?
The basic advantages come down to account security for card present transactions, as explained below. EMV chips are also more difficult to copy than mag stripes.
Better security should cut down on credit card fraud, in general, which should make the finance industries better for businesses and consumers alike.
What Are Some Other Names for EMV Cards?
EMV cards are known by many names. They include:
- Chip-and-Signature cards
- Chip-and-PIN cards
- Chip-and-Choice cards
- Chip cards
- IC cards (for “integrated circuit”)
- Smart cards
- EMV smart cards
- Smart chip cards
- Smart payment cards
What’s the Difference Between EMV and NFC?
EMV and NFC are completely different.
EMV is a set of security technologies and standards, and it stands for “Europay, Mastercard, and Visa.”
NFC stands for “Near-Field Communication,” and this refers to the ability to wirelessly transfer information across short distances. NFC is used in “tap to pay” checkout terminals, where you hold your credit card or smartphone near the terminal to process a transaction. This is also referred to as a “contactless” payment method.
Nearly every card issued today has EMV technology, at least Chip-and-Signature and sometimes also Chip-and-PIN. And there are a growing number of issuers providing contactless cards in the U.S. today.
Do Debit Cards Have EMV Technology?
Yes, debit cards also have EMV technology. Debit cards usually have Chip-and-PIN EMV technology, so they end up working just like they always have.
You’ll use the same card PIN that you always have to make EMV purchases with a debit card. The only difference will be that you have to insert the card, rather than swipe it.
Debit cards use Chip-and-PIN rather than Chip-and-Signature because debit card holders in the U.S. are used to entering a PIN when making purchases. Banks want to make the EMV shift as easy as possible for consumers so they can continue using their cards without interruption. So chip debit cards still use a PIN, and credit cards generally use a signature — for now.
EMV Secure Remote Commerce for Online Payments
Ecommerce websites often feature a variety of checkout buttons — which should you click? This can be confusing for customers, and it can be a lot for merchants to manage.
EMV Secure Remote Commerce, also known as “click to pay,” is a new standard that aims to simplify this process, giving consumers a checkout experience that’s consistent across different merchant websites. Rather than dealing with different payment options on every site you visit, you can use the same clean, easily recognizable checkout interface.
Look for this button:
As of October 2019, only a few merchants have adopted EMV Secure Remote Commerce: Cinemark, Movember, and Rakuten. But you can expect to see it popping up more and more; BassPro, SaksFifth Avenue, JoAnn Fabric and Crafts, Papa John’s, SHOP.com, and Tickets.com are all slated to adopt the new standard by the end of 2019. The tech is expected to see wide availability in early 2020.
Jaromir Divilek, Executive Vice President, Global Network Operations at American Express, expects EMV Secure Remote Commerce to make confusing digital checkouts a thing of the past. “Consumers need, want, and deserve payment solutions that are easy, convenient, and secure,” said Divilek. “Click to pay will make the process of shopping online faster and easier, by reducing the amount of manual keying of information during the checkout process, without sacrificing security.”
Getting an EMV Chip Card
Where Can I Get an EMV-Enabled Credit Card?
Every credit card issued in the U.S. is equipped with EMV technology. Check out our Best Card Picks to find the right card for you, whether you’re looking for rewards, a travel card, or a way to build credit.
All EMV cards have the Chip-and-Signature verification mode, but not all have Chip-and-PIN. See our listing of issuers that offer Chip-and-PIN cards if you’re going to be traveling outside the U.S.
Are There Any Special Fees Associated with Chip Credit Cards?
No, there are no special or additional fees to use EMV chip cards.
It costs money for credit card companies and merchants to switch over to and maintain EMV technology, of course. These costs are probably passed on to the customer in some way. However, hopefully these security measures result in an overall reduction in fraud, which is a major expense. So perhaps there will be a balance there, or even an overall net reduction in costs.
Can I Still Use My Chip-Enabled Credit Card for Cash Advances at ATMs?
Yes. The chip in your card doesn’t prevent you from doing anything you normally would with the card. The PIN you use for cash advances may or may not be the same PIN you use for purchases, depending on the card issuer.
However, we recommend avoiding cash advances like the plague, because interest will start accruing on the advance as soon as you take it out. So they should only be used in true emergencies.
Chip-and-PIN Credit Cards
Where Can I Get a Card with Chip-and-PIN Functionality?
Many U.S. credit card issuers offer cards with PIN functionality today. Check out our list of credit card issuers that offer Chip-and-PIN cards.
Not this kind of chip and pin…
How Do I Set My Card’s PIN?
It depends on the issuer.
Some card issuers will assign you a PIN after you’re approved for the card, like the First Tech Federal Credit Union. They’ll inform you of the PIN by mail.
Others will prompt you to create one, like Barclays, and if you don’t then they’ll assign you one.
Still other card issuers may not assign you one, and they won’t prompt you for one either. You’ll have to either check to see if you have one, or create a new one. Bank of America and Citi are both like this.
You can always check or change your PIN by contacting the card issuer. Some credit card companies let you change your PIN online, while others require you to call.
Is the Cash Advance PIN the Same as the PIN for Making Purchases?
Usually, but not always. It depends on the card issuer.
Most card issuers let you use the same PIN for both cash advances and Chip-and-PIN transactions. But a few, like HSBC, will give you two separate PINs, one for each function.
Are Chip-and-Signature or Chip-and-PIN Cards More Common in the United States?
Most credit cards issued in the U.S. are currently just Chip-and-Signature. There are about a dozen U.S. issuers that offer Chip-and-PIN cards, however, and their ranks are slowly growing.
Paying with EMV Chip Cards
How Do I Use an EMV Card to Make a Purchase?
Rather than sliding your card through a card reader, you insert it into a terminal slot and leave it there until the transaction is complete. Verify that the screen shows the correct purchase amount. You’ll be given instructions on how to proceed, either signing or entering your PIN.
Inserting your card like this has been nicknamed “card dipping,” but it doesn’t sound very cool so we don’t recommend saying it in public.
Some people have complained that EMV transactions take longer than swiping your card. This might not always be true, however, because the processing time shouldn’t necessarily be longer.
It could be that EMV transactions just feel longer because you need to keep your card in the terminal, rather than swiping it, putting it away, and moving on. When you swipe a magnetic stripe card the terminal reads all the information, and then takes some time to process the transaction. But you can put your card away and start picking up your purchases during that time.
With chip transactions you need to leave the card in the terminal until it finishes processing, and some people may keep their hand on it the whole time. This could make the process feel longer, especially if you’re used to just swiping quickly and looking away.
Should I Dip or Swipe My Card?
Dipping your card is the more secure transaction method, so we recommend trying that first. If the terminal doesn’t accept chip cards for whatever reason, you’ll get an error and it will tell you to swipe.
Or, if you try to swipe but the terminal doesn’t accept that method, it will tell you to insert the chip.
If you’re not sure what to do, you can just try one or the other. Or you can ask the cashier for help.
Do You Have to Insert a Chip Card?
Checkout terminals will usually force you to either dip or swipe your card. In rare instances you may have a choice.
If your chip card features contactless technology (and it’s accepted at the terminal), you may be able to tap to pay, which is a good route if you’re worried about security.
If I Want to Use My Card at a Retailer That Doesn’t Support EMV Technology Yet, Will It Work?
Yes. You can still swipe the magnetic stripe on your card through the reader.
All credit cards in the United States currently still have magnetic stripes because merchants need time to adjust to this new technology.
Do I Have to Sign or Enter a PIN When I Make a Chip Transaction?
It depends on your specific card. Most cards just have Chip-and-Signature, while some others also feature Chip-and-PIN.
If your card only has Chip-and-Signature, you’ll be prompted to sign either the terminal screen or a printed receipt. If your card has both signature and PIN, the checkout system will default to your preferred method, which is almost always signature. If you want a PIN-priority card, check out Diners Club and credit unions like UNFCU and First Tech Federal Credit Union.
You won’t be able to choose signature or PIN, the terminal will automatically use your preferred method.
In April 2018, the four major U.S. credit card issuers — Visa, Mastercard, American Express, and Discover — decided that they’ll no longer require signatures as a verification method for purchases. Retailers may still require signatures to verify cardholder identities, however, but only if they choose to do so. This will help streamline the checkout process without compromising card security — signatures aren’t a very good security measure, and cashiers never check them anyway.
What If the Terminal Only Accepts PIN Cards, and Not Signature?
Terminals are generally supposed to accept both signature and PIN, depending on the preferred Card Verification Mode of the card. But some people, especially travelers in Europe, don’t always find this to be the case, especially when dealing with unattended payment terminals.
If you have a Chip-and-Signature card but you’re facing a terminal that is asking for a PIN, you may still be able to complete the transaction. You can try bypassing the PIN prompt by pressing “Enter,” “Continue,” or “Cancel.” If that doesn’t work, you can try looking for an attendant who can help.
If all that fails, you won’t be able to use that card in that card reader.
Usually, yes. Although EMV is the standard in Europe and Canada, be aware that most merchants expect you to use a PIN to verify the transaction.
Generally you should be fine, because terminals are supposed to accept either signature or PIN cards. But you may find that the merchant is unfamiliar with processing signature-verified transactions, so it could take quite a while and they may want to actually check your written signature against the one on the card.
In some cases, people have reported finding terminals won’t process cards that are only Chip-and-Signature. This can happen with unattended terminals and kiosks, like train ticket vending machines. If this happens you may need to find an employee who can help, otherwise you’ll be out of luck.
You could also run into similar problems if your card has both signature and PIN capability, but the preferred verification method is signature. In this case the terminal sees your card as requiring a signature, which it can’t process. It’s supposed to allow you to enter a PIN, but some people have reported that this does not happen.
Checkout terminals that are updated with the latest software should be able to accept EMV cards that are either signature or PIN. But you may find terminals that aren’t properly configured.
Why Are Some Retailers Blocking Chip Cards?
This Walgreens store uses a terminal that supports reading chip cards, but they block it with a plastic plug.
Sometimes, you’ll find a checkout terminal that looks like it accepts chip cards, but the chip card reader will not work or will be physically blocked. This is most likely because the retailer has plans to switch over to EMV-compliant hardware and software and has already upgraded their terminals, but the full system is not yet ready to accept those cards.
Individual retailers may also have their own reasons for waiting longer to switch over to EMV compliance.
I’m a Merchant, How Do I Accept Chip Cards?
If you’re a merchant you’ll probably want to start accepting chip cards to limit your liability. If you already accept magnetic stripe cards, talk to your merchant provider about accepting chip cards.
Square is currently offering a reader for $49 that works with chip cards and NFC wireless payment technologies, like Apple Pay and Google Pay.
EMV and Card Security
How Do EMV Cards Help Prevent Fraud?
Cybersecurity is often described as an arms race, a contest between data security experts and hackers. As payment systems are made more secure, fraudsters simultaneously work to uncover new vulnerabilities.
EMV chip technology is more secure than the traditional mag stripe, but that doesn’t mean it’s perfect. There is still the potential for card information to be intercepted, and for that stolen card data to be used or sold. And unfortunately, as EMV security has made in-person fraud more difficult, online fraud has increased to fill the gap.
Chip cards help prevent fraud in two main ways, at least: making fraudulent transactions more difficult, and making card duplication more difficult.
Making Fraudulent Transactions More Difficult
There are two basic types of credit card transactions:
- Card present transactions: When the actual card is used for a point of sale transaction, like at physical stores when you insert it into a terminal.
- Card not present transactions: When the card is not available to the merchant for physical inspection, like online purchases, subscription billing, and phone, mail, and fax purchases.
The EMV chip is only used for card present transactions when you insert the chip into the reader. If you swipe the card this will use the mag stripe, and the chip isn’t involved. For card not present transactions, like online purchases, the card information is manually entered into the system, and the chip isn’t used.
So EMV chips are more secure only for point of sale, card present transactions, and only when inserting the card. This enhanced security comes from the unique cryptogram that’s created for each transaction, which is useless for making other purchases.
A mag stripe terminal simply reads the card data contained on the magnetic stripe. This data is static, meaning it’s always the same, compared to the dynamically-generated token used with chip transactions. The data on the mag stripe is always just sitting there on your card, waiting to be read.
Criminals can attach a magnetic stripe reader over an existing card reader, for example at a gas pump, to capture data about every card that’s swiped. The customer may not notice, since the transaction can still go through normally — the information is just being “skimmed” as the card is slipped in and out of the card reader. See this page of Krebs on Security that shows many real life examples of skimmers and other devices that are used to steal credit card information.
EMV is a less passive system. The data on an EMV chip can’t simply be read as the card is inserted into a reader, because the transaction uses a unique cryptogram. These systems can still be hacked, and sometimes they are, but it requires something much more sophisticated than a simple card skimmer.
In some cases, for example, fraudsters attach devices that trick the chip into thinking it’s being used for a signature-verified transaction. The terminal is simultaneously tricked into thinking it received a correct PIN. The result is that both sides approve the transaction, without a real PIN (or signature) being used.
Shady businesses may employ a different nasty technique. They can program the EMV card reader to show the correct amount on the terminal, but actually charge your account a much higher amount. So you may see the correct charge of $35 on the terminal, but later that month you might get a bill for $4,000! Mag stripe cards are vulnerable to this trick, too.
Making Card Duplication More Difficult
It’s fairly easy for a thief to copy a mag stripe credit card. After skimming the information from your card, that data can be “burned” onto a blank counterfeit card, and used just like the original. It’s a bit like your card’s evil twin.
EMV technology is different. That little chip is a complex microprocessor, and it can’t simply be scanned, copied, and replicated. Apparently it is still possible to duplicate EMV chips, but you’d need to “drill into it with lasers and probing stations, and other expensive fiddly equipment,” according to Ross Anderson of Computerphile. So it’s not very easy at all.
However, EMV cards are still vulnerable in some ways. Your card still has a mag stripe on the back. It can be read with a skimmer, as mentioned above, and copies of the card can be made. If you use the mag stripe for a transaction instead of the chip, you won’t get any of those EMV protections and will be vulnerable to skimmers.
But you’re not safe just because you’re using the chip, either. If you use a hacked EMV terminal and thieves obtain your card information, they can use that data to create a mag stripe version of your card. That forged card won’t have a copy of your chip but it will have a copy of your mag stripe, so it can be used in mag stripe readers.
EMV technology doesn’t provide complete protection against fraud, but it does make in-person fraud and counterfeit card creation more difficult. It’s a step in the right direction. But an unfortunate side effect of more chip card transactions has been the subsequent rise of online fraud, as criminals seek out easier means of identity theft.
New EMV standards aren’t exactly the cause of this fraud, as some have claimed, but they have made online transactions more attractive to criminals than card present transactions. So be sure to protect your information and financial tools, both online and offline.
Who’s Responsible for Fraud with EMV Cards?
For the consumer, nothing really changes when it comes to fraud liability with EMV cards. You won’t be held liable for fraudulent transactions in most cases, as long as you alert your card issuer.
Liability for fraud usually rests with the card issuer or payment processor, depending on the specific terms of the account. However, since the transition to EMV technology, fraud liability now lies with the “least-EMV compliant party,” which in some cases might be the merchant. This basically means that if the merchant didn’t install a new EMV system and people are forced to use the mag stripe, the merchant will be held liable for fraud if it occurs.
There are currently four important dates in what is known as the “EMV liability shift:”
- October 1st, 2015: Liability for fraud for most card present transactions switched to the least-EMV compliant party (excludes automated fuel dispensers at gas stations).
- October 1st, 2016: ATMs were included in the new liability rules, with the least-compliant party being held liable.
- October 1st, 2017: Automated fuel dispensers at gas stations were set to be included in the liability shift, but in 2016 this date was moved three years back.
- October 1st, 2020: Automated fuel dispensers at gas stations will be included in the new liability rules.
So October 2020 is the new date at which all card present transactions in the U.S. will be held to these standards, including automated fuel dispensers.
EMV Technology Adoption in the U.S.
The United States has been transitioning slowly to EMV technology since about 2011, when Visa began promoting the idea. EMV cards have been used in Europe and Canada for decades, with many around the world wondering why the U.S. has been lagging behind (but it’s actually catching up pretty fast).
Upgrading to EMV technology is expensive, and people don’t want to change until they really have to. Many retailers, especially smaller stores with less funds to spend on upgrading, have dug their heels in until switching seems like the less costly option.
Things started moving much more quickly with the fraud liability shift that began in October 2015. At this date the least-EMV compliant party became liable for card fraud, which means that if the merchant didn’t upgrade to use EMV chip readers they’d be liable for fraud. This is a big and potentially expensive change for merchants, because usually the card issuer or payment processor would be liable for fraud.
Many retailers now use EMV technology, although not all. In the U.S., pretty much every merchant uses signature as the verification method for credit cards, and PIN for debit cards.
You’ll notice that automated gas pumps usually still use the swipe method. This is because they have until October 2020 to upgrade to EMV. The original date was set to be October 2017, but the deadline was extended to give the U.S. petroleum industry three more years to install the necessary technology.
Gas stations and fuel companies have resisted the change for several reasons, in large part due to the massive cost of switching over.
It’s not as simple as just unscrewing a checkout terminal from a pump and mounting a new one; in some cases, the actual pump needs to be uprooted so the wiring can be updated to handle the new system. Many gas stations are independently owned as part of convenience stores, rather than being run by huge corporations, so the barriers to converting are high.
EMVCo is the primary organization designed to facilitate the spread of EMV technology around the world. They frequently publish reports on the use of chip cards, by both merchants and consumers.
Their most recent set of statistics, from the end of 2017, show that EMV card usage has continued to grow in the U.S. and elsewhere.
EMV Chip Card Deployment. Image credit: EMVCo
EMVCo reports that EMV adoption in the U.S. was at nearly 60% at the end of 2017, with about 785 million EMV cards in circulation.
Visa has some impressive stats on EMV acceptance as well, released in March 2018. Visa reports that:
- Counterfeit fraud has dropped by 76% for merchants who completed the chip upgrade, from December 2015 to December 2017
- Over 2.9 million merchants now accept chip cards, representing 63% of U.S. storefronts
- In March 2018, 97% of card present Visa transactions involved EMV cards
Secure payment technology will continue to improve, and the signature/PIN methods won’t be the last verification modes we see. Mastercard is currently testing a next-gen “biometric card,” which will scan your fingerprint to verify your identity and approve transactions. Biometric cards are currently being trialed in South Africa, with plans for Europe and Asia Pacific in coming months.
Credit card security is important. Thankfully, cardholders are not usually held liable for fraudulent charges. But fraud costs the payments industry an incredible amount of money every year. In 2017 the rates of fraud were higher than ever, with nearly $17 billion lost (i.e., stolen) as a result of identity theft and similar crimes.
EMV cards are usually pretty simple to use, and they make card present transactions more secure. They also make it more difficult to copy cards. Although they’re not a perfectly secure technology, and hackers can still steal information from payment terminals, they’re a big upgrade from the traditional magnetic stripe.
Every card issued in the U.S. today comes with EMV technology, at least Chip-and-Signature. Some also come with Chip-and-PIN, which will make them more useful outside the U.S. See our list of card issuers that offer Chip-and-PIN cards if you’ll be traveling outside the country.
Remember that EMV technology only helps protect against in-person fraud. Be sure to check your credit card statements and monitor your credit reports periodically to check for unauthorized activity.
Frequently Asked Questions
How do chip credit cards work?
Chip cards, like magnetic stripe cards, communicate with payment terminals to verify your credit card information with the merchant you’re trying to pay.
Each time you insert a chip card, the chip and the terminal create a token that contains one-off, transaction-specific information used to make the transaction happen.
So, rather than sending your actual credit card information, like a magnetic stripe would, an EMV chip sends data that’s unique to that purchase. Terminals can then decode this information in order to verify your credit card and complete the purchase.
From the everyday consumer’s perspective, EMV transactions aren’t all that different than magnetic stripe transactions — they’re just a bit more secure (learn more about credit card security).
How do you use a chip credit card?
Using a chip card is simple. Insert the card into the payment terminal, and remove it when the terminal tells you to.
Depending on the size of the purchase and the type of terminal, you may have to provide a signature (particularly in the U.S., where chip-and-signature cards are the standard).
Outside of the U.S., many countries use chip-and-PIN technology. It’s basically the same process — insert your card, enter your PIN, and that’s that.
In some cases, if the terminal can’t accept chip cards or the chip can’t be read, you’ll be asked to swipe your card the traditional way.
Are chip cards more secure?
Yes. While EMV chip cards and magnetic stripe cards share certain flaws, chip cards are more secure.
EMV chips generate new data for every transaction, and this makes chip cards much harder to duplicate than magnetic stripe cards, which relay the same exact information with every swipe. And, because chip cards are so hard to duplicate, it’s more difficult to use them for fraud.
It’s also more difficult to compromise a chip card with a skimming device, since the card won’t provide information like the card number outright unless it’s swiped. It’s not impossible, however — “shimming” is a new-and-improved skimming tactic developed to extract information from a chip card that’s been inserted. That information can then be used to create mag stripe cards.
Another notable imperfection is that much of the U.S. relies on chip-and-signature technology, so criminals can commit fraud by stealing your physical card and simply signing your name. EMV chips don’t offer extra security for online transactions, either — your information can still be compromised by hackers if you have to type out your card details (check out virtual credit cards for a good solution to that).
Credit Card Insider receives compensation from advertisers whose products may be mentioned on this page. Advertiser relationships do not affect card evaluations. Advertising partners do not edit or endorse our editorial content. Content is accurate to the best of our knowledge when it's published. Learn more in our Editorial Guidelines.
Cracking the Uncrackable: Cybercriminals Deploy EMV-Bypass Cloning
- New research by Cyber R&D Lab detailed a method of bypassing EMV technology to monetize supposedly secure cards. This method, EMV-Bypass Cloning, leverages information from one technology (EMV chips) and converts it into another less-secure technology (magstripe), which allows fraudsters to rely on their familiar cloning techniques.
- To test this theory, they chose 11 cards from 10 banks from US, UK, and EU issuer countries. The researchers harvested data from four of the cards, created cloned magstripe cards with this data, and successfully placed transactions.
- Gemini data indicates that this technique is already in use among the cybercriminal underground, as seen in the respective breaches of Key Food Stores Co-Operative Inc. and Mega Package Store exposing over 720,000 compromised cards. EMV technology may have changed the underground market for CP records, but EMV-Bypass Cloning has opened the door for cybercriminals to sidestep the central security features of EMV chips and channel a new source of CP cards back into the underground CP market.
- EMV-Bypass Cloning is dangerously effective, but through policy review and higher verification standards, card providers and financial institutions can close the security gaps that this method exploits and restore the security integrity of EMV chips.
The invention of the EMV chip was one of the most significant developments in secure payment card technology. While payment cards had previously relied on the magnetic stripe (magstripe) to store information, fraudsters had been cracking this technology and cloning victims’ cards for years. To prevent fraudsters from placing illicit purchases with cloned payment cards, EMV chips encrypt the payment card data and the CVV (called iCVV for EMV-enabled cards). A new encryption key (also called a token or cryptogram) is generated upon each purchase for Card Present (CP) transactions. This token is generated by the interaction between the EMV chip and the card reader and applies only to that single transaction. Since the token cannot be repeated for an additional transaction, stealing it does not allow cybercriminals to place fraudulent transactions with a cloned EMV-enabled card. There is currently no compelling evidence that any cybercriminals have discovered a method of cloning this technology. EMV chips transformed the underground payment card economy, shifting most illicit markets towards Card Not Present (CNP) records; merchant compliance with regulations mandating EMV chip transactions correlate strongly with the presence of CP fraud in any given country.
However, new research indicates that there are other ways to bypass EMV technology and monetize these supposedly secure cards. An in-depth report by Cyber R&D Lab detailed a method of acquiring enough data through compromised EMV transactions to clone a payment card. This method leverages information from one technology (EMV chips) and converts it into another less-secure technology (magstripe), which allows fraudsters to rely on their familiar cloning techniques. Gemini will refer to this technique as EMV-Bypass Cloning.
Magstripes are particularly vulnerable because they do not encrypt the track 1 or track 2 data necessary to place a transaction. This lack of encryption made it easy for fraudsters to steal payment card data, and then equally easy to clone the card with this stolen data. EMV technology is more secure because it encrypts the payment card information stored on the chip during the transaction.
There are multiple ways for a cybercriminal to obtain the payment card data of EMV-enabled cards. The most popular method involves a “shimmer,” a physical device that a cybercriminal attaches to a point-of-sale (POS) terminal to collect payment data before passing it along to the POS terminal itself. This allows the fraudster to steal the card data while allowing the legitimate transaction to take place, which prevents the victim from realizing that their payment card information was compromised.
According to Krebs on Security, the data collected by shimmers cannot be used to clone a chip-based card, although it can be used to clone a magstripe card. While the data that is typically stored on a card’s magstripe is replicated inside the chip on chip-enabled cards, the EMV chip also contains an additional security component not found on a magstripe. That security component is the iCVV number, which differs from the CVV that is located on the magnetic stripe.
However, this layer of security is rendered useless if a financial institution does not check for the proper CVV number during a swipe transaction. Because of this loophole, a cybercriminal can take data from an EMV-enabled card and translate it into magstripe data. That criminal can clone the victim card, creating a fraudulent magstripe card using EMV data. Thus, EMV-Bypass Cloning allows them to bypass the chip’s extra layers of security and revert to an older, more reliable method of fraud.
Fraudsters can use such a cloned card the same way they would use a card cloned from a compromised magstripe transaction. They cause the EMV transaction to fail through one of several ways (e.g., not fully inserting the card into the card reader; covering the EMV chip with tape or superglue; etc.), and then they accept the cashier’s offer to swipe the card instead.
From Theory to Practice
The viability of this technique depends upon a bank’s security posture. If a bank mandates that every card security code is verified upon each card transaction, the technique will fail. However, the Cyber R&D Lab researchers suspected that some banks do not verify the iCVV or CVV for all transactions, which would leave the card vulnerable to exploitation through the method detailed above. To test this theory, they used both an app and a physical card reader to record the card data. They chose 11 cards from 10 banks (including both Mastercard and Visa cards) from US, UK, and EU issuer countries to attempt their experiment.
The researchers used several different types of card readers to interface with all 11 cards, and were able to harvest data from four of them. With the data from these four cards, they created cloned magstripe cards and successfully placed transactions. These transactions would have failed if a simple check for data integrity occurred during payment.
Cyber R&D Lab did not specify which bank/card issuer combinations were most vulnerable to this technique. The issues appear to be twofold: first, the card data could be harvested from four of the 11 cards, which implies a security shortfall from the card manufacturer or the issuer bank’s encoding process for the card data. Second, the banks did not verify that the correct CVV code (as opposed to the harvested and substituted iCVV code) was used in magstripe transactions.
This experiment validates the theory that EMV data can be converted into magstripe data and thus support fraudulent CP transactions. Lack of proper encryption or verification of data integrity appears to enable this technique. If dark web forums circulate EMV-Bypass Cloning guides, it may undermine EMV cards’ security and raise demand for them in the cybercriminal marketplaces, launching a new wave of cyberattacks on a type of transaction previously assumed to be safe.
In the Wild
Gemini data indicates that this technique is already in use among the cybercriminal underground. On January 16, 2020, Gemini identified a massive breach of Key Food Stores Co-Operative Inc., a supermarket chain cooperative with affiliates largely (but not exclusively) in the northeastern United States. Many of the supermarkets in this cooperative use point-of-sale (POS) terminals that support EMV transactions with distinct network security systems. The payment cards stolen during this breach were offered for sale in the dark web. Shortly after discovering this breach, several financial institutions confirmed that the cards compromised in this breach were all processed as EMV and did not rely on the magstripe as a fallback. Analysts had speculated that payment card data on the EMV chip was compromised and repurposed for cloned magstripe cards, and Cyber R&D Lab’s recent revelations provide further clarity into the likely attack vector.
Gemini additionally identified a breach of Mega Package Store, a US wine and liquor store based in the state of Georgia, on June 29, 2020. The stolen cards were also compromised during EMV-enabled transactions. The same attack vector would explain how the attackers managed to compromise and then monetize cards from EMV transactions.
While Cyber R&D Lab demonstrated how EMV-Bypass Cloning can take place with physical access to targeted cards, and Krebs on Security shed further light onto shimmers as a means to steal card data, it is unlikely that the cybercriminals responsible for the Key Food Stores breach physically installed shimmers onto each store location’s POS terminals. Given the extreme impracticality of this tactic, they likely used a different technique to remotely breach POS systems to collect enough EMV data to perform EMV-Bypass Cloning.
Gemini notified law enforcement of both breaches shortly after discovering them. Key Food Stores first announced the breach on March 2, and later released an updated statement on July 16 reporting that even its EMV transactions had been compromised. While the public statement claimed that “we believe only the card number and expiration date would have been found by the malware (but not the cardholder name or internal verification code),” Gemini has observed additional data exposed in the dark web that includes the iCVV, which can be substituted for a CVV in magstripe data to clone a card. This cloned card can place fraudulent transactions depending on the bank’s verification process, as referenced above. The malware, therefore, must have harvested magstripe-equivalent payment card data from EMV-enabled POS terminals. A similar strain likely also infected Mega Package Store. Proper iCVV verification from banks should thwart this technique.
In the breaches of Key Food Stores and Mega Package Store, major supermarkets have lost over 720,000 compromised cards. Since not all card-issuer banks verify the magstripe data upon each swipe transaction to ensure that it was not stolen and translated from the EMV chip, some of these records are viable for EMV-Bypass Cloning. This is encouraging to cybercriminal buyers seeking to cash out these records, which in turn prompts hackers to continue targeting merchants that comply with EMV implementation standards.
EMV technology may have changed the underground market for CP records, but EMV-Bypass Cloning has opened the door for cybercriminals to sidestep the central security features of EMV chips and channel a new source of CP cards back into the underground CP market. The compromised merchant locations from the Key Food Stores breach are listed in Appendix A, while the Mega Package Store data is in Appendix B.
While analysts have not found dark web chatter highlighting EMV-Bypass Cloning or malware capable of capturing such data from EMV-enabled POS devices, the Key Food Stores and Mega Package Store breaches came from two unrelated dark web sources. This indicates that the technique used to compromise this data is likely spreading across different criminal groups using advanced operational security (OPSEC).
While EMV chips had proved impossible for cybercriminals to crack for many years, EMV-Bypass Cloning has undermined the security of the most reliable card technology on the market. Cybercriminals appear to have already used the technique in the wild to conduct breaches at scale and tap into a new source to feed the CP card dark web market. However, since EMV-Bypass Cloning merely leverages encryption and verification policies rather than compromises EMV technology itself, the solution lies in these same policies.
The four cards vulnerable to this technique in Cyber R&D Lab’s experiment had no verification process checking that the data inputted as magstripe data actually originated as magstripe data rather than being translated from an EMV chip. A higher verification standard involving data checks would raise the threshold of access and undercut fraudulent card use. EMV-Bypass Cloning is dangerously effective, but through policy review and higher verification standards, card providers and financial institutions can close the security gaps that this method exploits and restore the security integrity of EMV chips.
|Location||State||City||Address||Exposure Time Period|
|Almonte’s Food Dynasty||NY||Brooklyn||1525 86th Street||04/08/2019 – 01/24/2020|
|Almonte’s Key Food||NY||Brooklyn||5101 Avenue N||04/08/2019 – 01/24/2020|
|Antillana Superfood||NY||Bronx||1339 Jerome Avenue||01/08/2019 – 04/17/2020|
|Brooklyn Fare||NY||Brooklyn||200 Schermerhorn Street||04/09/2019 – 01/24/2020|
|Brooklyn Fare||NY||New York||666 Greenwich Street||03/07/2019 – 01/24/2020|
|Brooklyn Fare||NY||New York||431 W 37th Street||04/09/2019 – 01/24/2020|
|Columbus Foods||NY||New York||81 West 104th Street||03/08/2017 – 02/27/2020|
|Country Markets||NY||Eastchester||344 White Plains Road||03/31/2019 – 01/24/2020|
|Dumbo Market||NY||Brooklyn||66 Front Street||03/31/2019 – 01/24/2020|
|Food Fair||NY||Bronx||1065 E. 163rd Street||04/07/2019 – 01/24/2020|
|Food Fair||NY||Bronx||656 Castle Hill Avenue||03/31/2019 – 01/24/2020|
|Food Fair||NY||Spring Valley||175 E. Central Avenue||03/31/2019 – 01/24/2020|
|Food Fair||NJ||Newark||323 Mount Prospect Avenue||03/31/2019 – 01/24/2020|
|Food Fair||NJ||Paterson||956 Market Street||03/31/2019 – 01/24/2020|
|Food Universe||NY||Bronx||119 Einstein Loop||03/13/2019 – 01/24/2020|
|Food Universe||NY||Bronx||111 Dreiser Loop||03/13/2019 – 01/24/2020|
|Food Universe||NY||Bronx||2061 Bartow Avenue||03/19/2019 – 01/24/2020|
|Food Universe||NY||Bronx||3942 White Plains Road||01/27/2017 – 02/14/2020|
|Food Universe||NY||Bronx||148 East Burnside Avenue||01/27/2017 – 04/17/2020|
|Food Universe||NY||Bronx||82 W. Kingsbridge Road||10/18/2018 – 03/04/2020|
|Food Universe||NY||Bronx||2358 University Avenue||01/05/2019 – 04/02/2020|
|Food Universe||NY||Bronx||60 W. 183rd Street||12/19/2018 – 02/16/2020|
|Food Universe||NY||Bronx||1334 Louis Nine Boulevard||03/29/2019 – 01/24/2020|
|Food Universe||NY||Brooklyn||1038 Rutland Road||01/27/2017 – 02/13/2020|
|Food Universe||NY||Brooklyn||405 Remsen Avenue||01/26/2017 – 03/03/2020|
|Food Universe||NY||Brooklyn||243 Schenectady Avenue||03/12/2019 – 01/24/2020|
|Food Universe||NY||Brooklyn||4118-22 Third Avenue||01/04/2019 – 02/14/2020|
|Food Universe||NY||Brooklyn||416 Crescent Street||03/19/2019 – 01/24/2020|
|Food Universe||NY||Far Rockaway||32-11 Beach Channel Drive||03/13/2019 – 01/24/2020|
|Food Universe||NY||Long Island City||34-14 Steinway Street||04/07/2019 – 01/24/2020|
|Food Universe||NY||New York||538 W 138th Street||03/12/2019 – 01/24/2020|
|Food Universe||NY||New York||70-72 Nagle Avenue||01/26/2017 – 02/25/2020|
|Food Universe||NY||New York||5069 Broadway||01/26/2017 – 03/03/2020|
|Food Universe||NY||Richmond Hill||117-01 Liberty Avenue||03/19/2019 – 01/24/2020|
|Food Universe||NJ||Paterson||498 East 30th Street||04/08/2019 – 01/24/2020|
|Gala Foods||NY||Brentwood||725 Commack Road||04/07/2019 – 11/01/2019|
|Gala Foods||NY||Brentwood||1925 Brentwood Road||03/30/2019 – 01/24/2020|
|Gala Foods||NY||Freeport||111 W. Merrick Road||03/30/2019 – 01/24/2020|
|Gala Foods||CT||Bridgeport||1050 East Main Street||04/07/2019 – 01/24/2020|
|Gala Foods||CT||Bridgeport||1457 Fairfield Avenue||04/07/2019 – 01/23/2020|
|Gala Foods||MA||Worcester||664 Main Street||04/07/2019 – 01/24/2020|
|GalaFresh Farms||NY||Bay Shore||1819 Fifth Avenue||03/28/2019 – 01/24/2020|
|GalaFresh Farms||NY||Brooklyn||492 St. Marks Place||04/25/2017 – 01/26/2020|
|GalaFresh Farms||NY||Riverhead||795 Old Country Road||04/08/2019 – 01/24/2020|
|Gitto Farmer’s Market||NY||Brooklyn||38 Brooklyn Terminal Market||04/09/2019 – 02/14/2020|
|Howard Avenue Market||NY||Brooklyn||8 Howard Avenue||01/12/2019 – 03/10/2020|
|Jumbo Market||NY||Bronx||1383 Nelson Avenue||01/05/2019 – 02/14/2020|
|Key Food||NY||Brooklyn||6620 Avenue U||03/06/2017 – 03/18/2020|
|Key Food||NY||Brooklyn||1610 Cortelyou Road||03/19/2019 – 01/24/2020|
|Key Food||NY||Jackson Heights||86-02 Northern Boulevard||03/13/2019 – 01/24/2020|
|Key Food||NY||Jackson Heights||3754 90th Street||04/07/2019 – 01/24/2020|
|Key Food||NY||Jamaica||166-02 Baisley Boulevard||05/29/2019 – 11/01/2019|
|Key Food||NY||Rock Hill||214 Rock Hill Drive||04/07/2019 – 01/24/2020|
|Key Food||NY||Spring Valley||289 North Main Street||03/19/2019 – 01/24/2020|
|Key Food||NY||Valley Stream||1805 N Central Avenue||03/19/2019 – 01/24/2020|
|Key Food||NY||Woodside||61-10 Queens Boulevard||01/26/2017 – 03/05/2020|
|Key Food||CT||Waterbury||286 Fairfield Avenue||05/14/2019 – 01/24/2020|
|Key Food||FL||Naples||2668 Tamiami Trail E.||04/30/2019 – 01/24/2020|
|Latino’s Supermarket||NJ||West New York||6418 Hudson Avenue||01/27/2017 – 02/14/2020|
|Marketplace||NY||Brooklyn||617 Fifth Avenue||03/08/2017 – 04/22/2020|
|Neighbors Foodmarket||FL||Sunrise||6041 W Sunrise Blvd.||04/13/2019 – 01/24/2020|
|Ozzie’s Fresh Market by Food Universe||NY||Brooklyn||639 Grand Street||04/06/2019 – 01/24/2020|
|Price Choice Foodmarket||NY||Ridgewood||64-01 Fresh Pond Road||02/17/2017 – 02/14/2020|
|The Food Emporium||NY||Brooklyn||8102 3rd Avenue||03/28/2019 – 11/01/2019|
|Top Value Supermarket||FL||Miami||1490 NW 3rd Avenue, Suite 101||04/08/2019 – 01/24/2020|
|Tropical Supermarket||NJ||Dunellen||446 North Avenue||01/29/2017 – 03/17/2020|
|Tropical Supermarket||NJ||North Brunswick||959 Livingston Avenue||01/26/2017 – 04/13/2020|
|Tropical Supermarket||NJ||Perth Amboy||442 Smith Street||01/19/2017 – 02/14/2020|
|Tropical Supermarket||NJ||Somerset||720 Hamilton Street||01/27/2017 – 03/17/2020|
|Tropical Supermarket||NJ||South River||62 Main Street||01/26/2017 – 02/13/2020|
|Tropical Supermarket||NJ||Union City||2400 Central Avenue||01/26/2017 – 04/17/2020|
|Tropical Supermarket||NJ||Union City||1208 New York Avenue||01/27/2017 – 03/03/2020|
|Vitelio’s Marketplace||NY||Kew Gardens||116-15 Metropolitan Avenue||01/23/2017 – 02/13/2020|
|Waverly Gourmet Market||NY||Brooklyn||367 Waverly Avenue||04/09/2019 – 01/24/2020|
|Location||State||City||Address||Exposure Time Period|
|Mega Package Store||GA||Suwanee||2820 Lawrenceville-Suwanee Rd||03/2020 – 06/2020|
Gemini Advisory Mission Statement
Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.
- Grizzly anime voice camp
- Polaris sportsman 850 bumper
- Black epson ecotank printer
- Stephanie soo apartment
- File maker pro
- Osrs abbysal demon
The shift from payment cards with magnetic stripes to EMV chips was supposed to stomp out card cloning, except cybercriminals appear to have figured out a workaround.
With magnetic stripe cards, it was relatively easy for criminals to collect the information and copy onto a cloned card. In contrast, the EMV chip on the payment card encrypted the card number and personally identifiable information, making it harder to steal the data and create a cloned card. The EMV technology is also designed to generate a unique encryption key for each transaction where the card is present, so even if the criminal somehow had the card information, the encryption key to validate the transaction would be missing.
However, many companies still haven’t fully implemented EMV card readers, five years after the “switch” to EMV cards. That means card issuers have had to encode the card information on both the magnetic stripe and the EMV chip so that people can use the card both ways—inserting the card in to the card reader or swiping the card. This is necessary for those situations when the user is in a country that doesn’t have EMV terminals, or has to use an older point-of-sale terminal.
There is a subtle difference, though, because the magnetic stripe contains the card verification value (CVV), the three-digit code that is frequently printed on the back of the card, and the chip stores the a different code called the integrated circuit card verification value (iCVV).
Cybercriminals have been creating counterfeit cards by copying the EMV details—including the iCVV—onto the magnetic stripe. Since some banks don’t verify that the magnetic stripe has the CVV and that the EMV chip has the iCVV, the criminals are able to use the magnetic stripe cards containing the EMV data, said cybersecurity company Gemini Advisory.
“EMV technology may have changed the underground market for CP [card-present] records, but EMV-Bypass Cloning has opened the door for cybercriminals to sidestep the central security features of EMV chips and channel a new source of CP cards back into the underground CP market,” Gemini Advisory said.
The fact that this was possible to do has been known since 2008,but the assumption was that banks would shift all their customers to using EMV cards and that magnetic stripe cards would disappear because everyone would have EMV point-of-sale terminals. The official switchover was back in 2015, and the idea was that banks would verify transactions carefully until a time when magnetic stripe cards would no longer be needed. The fact that some banks were not verifying CVV and iCVV correctly created this loophole.
It is looking very likely that this technique is already being used, Gemini Advisory said. Analysts looked at two recent incidents where criminals breached point-of-sale systems at supermarket chain Key Food Stores and liquor store Mega Package Store and captured EMV data for more than 720,000 payment cards. The magnetic stripe clones with the stolen data could be used in card-present transactions if the issuing bank doesn’t properly verify the CVV.
“While analysts have not found dark web chatter highlighting EMV-Bypass Cloning or malware capable of capturing such data from EMV-enabled POS devices, the Key Food Stores and Mega Package Store breaches came from two unrelated dark web sources,” Gemini Advisory said. “This indicates that the technique used to compromise this data is likely spreading across different criminal groups.”
Gemini Advisory’s findings comes shortly after researchers at Cyber R&D lab examined Visa and MasterCards issued by 11 banks in the United States, United Kingdom, and a few other countries in the European Union and found four cards were not properly verified. Researchers were able to make transactions using counterfeit magnetic stripe cards that were generated with data collected from EMV chip cards because those card issuers did not catch the fact that the cards were using iCVV instead of CVV.
In the past, cybercriminals typically did not target EMV data because there wasn’t a clear way to monetize the information. The fact that the criminals are increasingly trying to steal EMV data suggests that is no longer the case. For example, Visa issued a warning recently that known point-of-sale malware families such as Alina, Dexter, and TinyLoader have been stealing payment card data from EMV chip-enabled point-of-sale terminals, according to Brian Krebs of KrebsonSecurity.com.
This problem can be solved. The banks need to verify which code is being used when approving payment transactions.
“A higher verification standard involving data checks would raise the threshold of access and undercut fraudulent card use,” Gemini Advisory concluded. “EMV-Bypass Cloning is dangerously effective, but through policy review and higher verification standards, card providers and financial institutions can close the security gaps that this method exploits and restore the security integrity of EMV chips.”
FinanceBank SecurityPci Dss