New Security Flaw in Credit Card Chip System Revealed

Mercator Overviews

by Sarah Grotta August 9, 2016 2:27 pm0

A story that is getting broad attention in industry publications as well as the popular press suggests that EMV chip cards that still sport a magnetic stripe on the back are easily hacked and open to counterfeit fraud. If true, this is not welcome news as issuers and merchants are spending $7 to $8 Billion to reissue cards and upgrade terminals. It appears that there is a little more hyperbole to this story and the payment system is more secure than reports might have readers believe.

As reported by CNN, researchers at NCR presented their finding regarding weaknesses in EMV chip last week at the Black Hat conference:

Computer security researchers at the payment technology company NCR demonstrated how credit card thieves can rewrite the magnetic stripe code to make it appear like a chipless card again. This allows them to keep counterfeiting — just like they did before the nationwide switch to chip cards.

This claim of a glaring hole in EMV, the chip-based system, is possible because of the way many retailers are upgrading their payment machines: They’re not encrypting the transaction.

This suggests that the magnetic stripe can be hacked so the code which tells the terminal that the card is in fact an EMV chip card fools the terminal into thinking it’s an old fashioned magnetic strip only card. This allows fraudsters to create counterfeit cards just as they did prior to the issuance of EMV cards.

Although the magnetic strip may be compromised, it doesn’t meant that the transaction will be successful. Once the authorization request gets to the issuer processor, the processor will know that the card is an EMV chip card at an EMV capable terminal and should have been processed as an EMV transaction. The transaction will be declined at the processor.

It would be much easier for fraudsters to steal magnetic stripe card data from cards that have yet to migrate to EMV and use them at merchants who have not updated their terminals. There are plenty of both still available.

Overview by Sarah Grotta, Director, Debit Advisory Service at Mercator Advisory Group

Read the full story here