Cybercriminals could be stealing data from payment cards with EMV chips and using it to create magnetic stripe cards which they can use for card-present transactions, cybersecurity firm Gemini Advisory reported on Thursday.
EMV technology encrypts the information stored on a card and uses a unique encryption key that is generated for each card-present transaction to prevent malicious actors from conducting other transactions even if the information stored on the chip is compromised.
This has made it impossible for fraudsters to create clones of EMV cards, as they have done with magnetic stripe cards, from which data can be easily obtained and encoded on a blank card.
Many companies still haven’t fully implemented EMV card readers, which has forced card issuers to encode the data needed to make payments on both the magnetic stripe and the EMV chip. The main difference is that the magnetic stripe contains one card security code, or card verification value (CVV), while the chip stores a different code called integrated circuit card verification value (iCVV).
The problem is that some banks don’t check to ensure that the CVV is provided when the magnetic stripe is used and the iCVV is provided when the chip is used for a transaction.
This enables cybercriminals who can steal EMV card data to encode that data on a magnetic stripe, inserting the iCVV instead of the CVV that is expected to be on the magnetic stripe.
Researchers at Cyber R&D Lab conducted an experiment recently using Visa and MasterCard cards issued by 11 banks in the United States, United Kingdom and some EU countries, and found that four of them were not properly verified by banks, enabling fraudsters to make transactions using magnetic stripe cards that were generated with data obtained from EMV chips.
This EMV-bypass cloning technique may already be used by fraudsters in the wild, with Gemini Advisory pointing to two recent security incidents that involved hackers stealing data from cards that were compromised during EMV transactions. The impacted US companies, supermarket chain Key Food Stores and liquor store Mega Package Store, apparently lost more than 720,000 payment cards.
Fraudsters could have used the stolen EMV data, which is believed to have been obtained as a result of a breach into the point-of-sale (PoS) systems at the two companies, to create magnetic stripe clones, which could then be used for fraudulent card-present transactions if the issuing bank fails to properly verify the CVV.
“While analysts have not found dark web chatter highlighting EMV-Bypass Cloning or malware capable of capturing such data from EMV-enabled POS devices, the Key Food Stores and Mega Package Store breaches came from two unrelated dark web sources. This indicates that the technique used to compromise this data is likely spreading across different criminal groups using advanced operational security (OPSEC),” Gemini Advisory explained.
Security blogger Brian Krebs pointed to a recent alert from Visa warning that known PoS malware families such as Alina, Dexter and TinyLoader were successfully used to steal payment card data from EMV chip-enabled PoS terminals.
Gemini Advisory said, “EMV technology may have changed the underground market for CP [card-present] records, but EMV-Bypass Cloning has opened the door for cybercriminals to sidestep the central security features of EMV chips and channel a new source of CP cards back into the underground CP market,”