Cyber security professionals at NCR Corporation, a payment technology company, have recently found a security flaw with the EMV chip cards. Their newly reported research has consumers and card issuers raising concerns over the fraud protection these cards originally promised.
Chip cards still come with a magnetic strip so that they can be used at point-of-sale transactions with a merchant who has yet to upgrade to EMV-enabled terminals. Hackers have now found a way to rewrite the code on the strip making it act like a chip-less card again, allowing them to steal the card information. Once a customer tries to swipe a card, they should be prompted to insert their chip card instead, but if that code was altered, it now tells the point of sale that it is not a chip card and requests the transaction be sent to the issuing bank for approval as a magnetic strip transaction. This is called a fall back transaction, which happens when EMV security protocols are bypassed and the transaction is limited to that of the magnetic strip.
Two examples of this type of magnetic strip security breach occurring in the national retail market are the hacks that happened with Target and Home Depot just two years ago, leaving millions of customers the victim of credit card theft.
This news comes as the latest in a line of issues the chip system has been experiencing. Merchants have been struggling to implement EMV terminals since the compliance deadline of Oct. 1, 2015 imposed by U.S. card issuers Visa, MasterCard, Discover and American Express. At CreditCardForum, we found that only 45 percent of the largest U.S. retailers were fully compliant with EMV by the end of June, almost nine months passed the deadline, so many consumers are still left swiping their chip cards.
Several other problems have been raised as consumers complain about the increased length of time it takes to complete a chip card transaction and retailers fret over the fraud liability shift that now been put into their hands.
Still, these latest security concerns are technically only theoretical as there hasn’t been a reported case of cyber criminals using this re-encryption technology on chip cards. It has, however, left card issuers quickly pursuing a solution before hackers have the opportunity to steal the information. New software and hardware developments will address this new security gap, but consumers should always be monitoring their accounts to help protect themselves from a security violation.
If you feel you’ve been a victim of credit card fraud, whether you have a chip-enabled card or magnetic strip only, CreditCardForum has outlined everything you should know and specific steps you should take to protect yourself immediately. Every card holder should be aware of the rules that govern protection, as well as what to do in the event of fraud.