A new flaw has turned up in the chip-based cards on offer in the U.S.
According to new data released by researchers at NCR, credit card thieves can apparently rewrite the magstripe such that the card looks to be chipless when run through a card reader machine — even though such machines should kick back the swipe and tell the user to insert the chip. This means fraudsters can continue to clone magstriped EMV cards and find them useful.
The hole is made possible, according to reports, because retailers are not encrypting their transactions as part of their EMV upgrade.
“There’s a common misperception EMV solves everything. It doesn’t,” noted Patrick Watson, one of the researchers.
The new flaw adds another line to retail’s ongoing list of complaints about EMV. The NRF has complained that the expensive upgrade ($25 billion) has done little to make retailers safer since unencrypted transactions are essentially just as hackable as they’ve ever been.
Randy Vanderhoof, director of the U.S. Payments Forum, weighed in on the research, stating: “This is not an attack on EMV technology, it’s an attack on the magnetic stripe. If the data on the magnetic stripe is altered it might fool the terminal, but when the authorization request gets to the issuer, they can recognize it was altered because they know what information should be on the magnetic stripe, and will therefore reject the transaction. These kinds of risks with magnetic stripe cloning or altering is exactly the kind of problem that EMV is best at preventing.”
Terminal makers Ingenico and Verifone both affirm that they offer point-to-point encryption, but also note that retailers and their partners must choose to turn it on.
The NCR researchers officially advised merchants to “encrypt everything” in a transaction. They also said consumers should pay with special apps on their phones and watches whenever the high-tech option is available.