Have you ever been asked at a point-of-sale (POS) terminal to swipe your EMV chip card over a magstripe reader instead of inserting it into the chip reader? If the answer is affirmative, it’s time to heighten your vigilance. The security of your finances may be at stake. EMV chip cards were introduced as a significant upgrade to the older magnetic stripe cards, primarily to combat fraud. However, with the advent of a new exploit method known as EMV Bypass Cloning, the safety net provided by these cards is under threat. Here is how?
What are EMV Chip Cards?
Europay, MasterCard, and Visa (EMV) chip cards represent a universal standard for credit and debit payment cards based on chip card technology. Unlike traditional magnetic stripe cards, EMV chip cards come with an embedded microprocessor, a small computer. This microprocessor securely stores the cardholder’s data and performs cryptographic processing during a payment transaction.
When you use an EMV card to make a payment, the card is inserted or “dipped” into the card reader. The chip on the card then communicates with the reader to authenticate it, ensuring it’s valid and hasn’t been tampered with. This process creates a unique transaction code that cannot be reused. As a result, even if the transaction data were intercepted, it couldn’t be used to carry out fraudulent transactions, providing a significant security advantage over magnetic stripe cards. Over the past two decades, EMV adoption has grown significantly. By the end of 2021, more than 12 billion EMV cards were circulated globally, representing over 86% of all payment cards.
Components of EMV Technology
EMV technology consists of several key components that provide enhanced security for payment transactions. These components include:
Microprocessor Chip
The embedded microprocessor chip in EMV cards stores sensitive cardholder information and performs cryptographic functions necessary for transaction authentication. These chips are designed to be tamper-resistant and secure, making it difficult for criminals to extract data.
Application Protocol Data Unit (APDU)
Application Protocol Data Units are a critical component of the EMV communication protocol, enabling data exchange between the EMV chip card and the terminal. Each APDU consists of the command message and the response message.
The command message is sent from the terminal to the chip card, containing instructions for the card to perform certain actions. The response message is sent from the card to the terminal, containing the result of the command execution. APDUs are designed to be secure, encrypted, and easily parsed by the card and terminal, ensuring efficient communication.
Issuer Script
Issuer scripts are commands the card issuer sends to the EMV chip card during a transaction. These scripts can update card settings, change PINs, or perform other administrative tasks to help manage the card and its security features.
Cryptograms
Cryptograms are unique, encrypted codes generated by the chip during a transaction. They are used to authenticate the transaction and ensure the integrity of the data. Cryptograms provide an additional layer of security, as they are dynamic and unique to each transaction, making it difficult for criminals to reuse the data for fraudulent purposes.
How EMV Chip Cards Work?
The EMV chip card process offers a more secure transaction method than traditional magnetic stripe cards. The dynamic authentication process and multiple verification steps make it challenging for criminals to clone or counterfeit cards.
Card insertion
The cardholder inserts their EMV chip card into the terminal’s card reader, establishing a connection between the card’s embedded microprocessor chip and the terminal.
Data exchange
The terminal and the chip card exchange data using Application Protocol Data Units (APDUs) specifically designed for secure communication between the two devices. APDUs consist of command messages sent from the terminal to the chip card and response messages sent from the card to the terminal. These messages are encrypted to prevent unauthorized access to sensitive data.
Terminal authentication
To ensure the terminal is legitimate, the chip card requests the terminal’s public key certificate. The terminal provides the certificate, which the card verifies using the issuer’s public key. This step helps protect against fraudulent terminals attempting to skim card data.
Card authentication
The terminal generates a random number and sends it to the chip card. The card combines this random number with its card data and transaction information to create a unique cryptogram. The cryptogram is sent back to the terminal, which checks against the information stored on the chip to ensure the card is genuine and the transaction information remains unaltered.
Cardholder verification
The terminal performs cardholder verification, which may involve various methods depending on the card issuer’s preferences and the terminal’s capabilities. These methods include entering a Personal Identification Number (PIN), providing a signature, or using biometrics such as fingerprint or facial recognition. This step helps protect against unauthorized use of the card.
Transaction authorization
Once the card and cardholder have been successfully verified, the terminal sends the transaction data, including the cryptogram, to the card issuer for authorization. The issuer checks the cryptogram and other transaction details and approves the transaction if everything appears valid.
Transaction completion
The terminal receives the authorization response from the card issuer, and the transaction is completed. The cardholder is informed of the successful transaction, and the purchased goods or services are provided.
Security Features of EMV Technology
EMV technology offers several important security features designed to protect against fraud:
Dynamic Authentication
Unlike magnetic stripe cards, which use static data to be easily copied, EMV chip cards generate a unique, one-time-use code for each transaction. This dynamic authentication process makes it much more difficult for criminals to clone cards and conduct fraudulent transactions.
Offline Data Authentication
EMV chip cards can authenticate offline data, allowing them to validate transactions even when the terminal is not connected to the internet. This reduces the risk of fraudulent transactions being approved due to compromised communication channels.
Cardholder Verification
EMV technology supports various cardholder verification methods (CVMs), such as signature, PIN, or biometrics, to further protect against unauthorized use. The CVM used during a transaction is determined by the issuer’s preferences and the terminal’s capabilities.
Transaction Risk Management
EMV chip cards can perform transaction risk management, analyzing each transaction for potential signs of fraud. If a transaction is deemed high risk, the card may require additional verification or decline altogether.
These security features have significantly reduced the instances of card-present fraud in countries where EMV technology has been widely adopted. However, as the rise of EMV bypass cloning demonstrates, no technology is immune to determined cybercriminals.
Loopholes in EMV Chip Cards
While EMV chip cards offer significantly enhanced security compared to magnetic stripe cards. However, as the saying goes, every lock has a key; they are not immune to attacks. Cybercriminals are seeking new ways to exploit vulnerabilities in the system. Some of the loopholes or weaknesses in EMV chip cards include the following:
Skimming and shimming
Skimming involves using a device to read and steal card data from the magnetic stripe on the card. Shimming, conversely, targets chip cards by inserting a thin device between the chip and the card reader, intercepting communication and stealing card data. These stolen data can be used to create cloned magstripe cards, though the cloned cards will lack the dynamic authentication features of a genuine EMV chip card.
EMV bypass cloning
This technique exploits vulnerabilities in the communication process between the EMV chip card and the payment terminal. Fraudsters use skimming or shimming devices to steal data from the chip, create a cloned magstripe card, modify the terminal, or use software to bypass the chip’s security features, authorizing fraudulent transactions without the genuine chip.
Implementation flaws
Some vulnerabilities can arise from improper implementation of EMV technology by card issuers, merchants, or terminal manufacturers. These flaws can create security gaps that fraudsters can exploit.
Social engineering attacks
Fraudsters may use social engineering tactics, such as phishing or pretexting, to trick cardholders into revealing sensitive card data or personal identification numbers (PINs). This information allows criminals to conduct unauthorized transactions or create cloned cards with the cardholder’s data.
What is EMV Bypass Cloning?
EMV bypass cloning involves using a skimming device to steal the data from the chip on a legitimate EMV card and then creating a cloned magstripe card with the same information as the original, including the cardholder’s name, account number, and expiration date.
The embedded chip creates a unique, one-time-use code when an EMV card is used for a transaction. This process, known as dynamic authentication, is designed to prevent the card’s data from being reused. Even if a criminal intercepted the transaction data, they could not use that same code to conduct another transaction. In other words, they couldn’t create a perfect clone of the card that can be used repeatedly.
However, with the advent of techniques like EMV Bypass Cloning, criminals have found ways to circumvent the chip’s security features. Because EMV cards still have a dedicated magstripe, that is a fallback option, allowing compatibility with older POS machines and non-EMV countries during travel.
Instead of trying to clone the chip, they create counterfeit magnetic stripe cards that trick the payment terminal into using the less secure magnetic stripe reader, bypassing the chip’s security measures.
How EMV Bypass Cloning Works?
EMV bypass cloning involves exploiting vulnerabilities in the communication process between an EMV chip card and a payment terminal. The process typically involves the following steps:
Skimming the card
Fraudsters use a skimming device to steal the data from the chip on a legitimate EMV card. The skimming device may be a modified payment terminal or a separate device placed over the honest airport.
Data extraction
Once the skimming device has captured the data from the chip, it is typically stored on a laptop or smartphone. The data can be extracted using specialized software or tools.
Creating a cloned card
Fraudsters can use the extracted data to design a magnetic stripe card with the same information as the original, including the cardholder’s name, account number, and expiration date.
Bypassing the chip
Fraudsters must avoid the EMV chip’s security features to use the cloned card for fraudulent transactions. When the counterfeit card is used at a payment terminal, it sends a false signal that the chip is malfunctioning. Because of this supposed malfunction, the terminal defaults to the magnetic stripe for processing the transaction. The magnetic stripe does not have the same security measures as the chip, allowing the transaction to be approved even though the card is not genuine.
The Impacts of EMV Bypass Cloning on Consumers
EMV bypass cloning can have various negative impacts on consumers. Here are some of the consequences that can arise from this type of fraud:
Financial loss
The most direct impact of EMV bypass cloning on consumers is the potential for financial loss. Fraudsters can use cloned cards to make unauthorized transactions, draining funds from the victim’s account. Although banks and financial institutions often have fraud protection measures in place, there may be limitations on liability coverage, leaving consumers responsible for part or all of the losses.
Credit score damage
Unauthorized transactions and fraudulent activities can harm a consumer’s credit score. Failure to detect and report fraud promptly can lead to missed payments, increased debt, and other negative factors that can hurt credit scores. A damaged credit score can make it difficult for consumers to secure loans, rent an apartment, or even get a job.
Identity theft
EMV bypass cloning can be a gateway to more severe forms of identity theft. Once criminals can access a consumer’s financial information, they can use it to open new accounts, apply for loans, or commit other fraudulent acts in the victim’s name. This can lead to long-term consequences and can be challenging to resolve.
Loss of trust
EMV bypass cloning can undermine consumers’ trust in the security of the payment system and financial institutions. As a result, consumers may become hesitant to use their cards for transactions, seeking alternative payment methods instead.
Time and effort to resolve issues
Dealing with the aftermath of EMV bypass cloning can be time-consuming and stressful for consumers. They must report the fraud, close compromised accounts, dispute unauthorized charges, and monitor their credit reports. Resolving these issues can take a significant amount of time and effort.
The Impact of EMV Bypass Cloning on Merchants
EMV bypass cloning can have significant negative impacts on merchants as well. The following are some potential repercussions that merchants may face as a result of this type of fraud:
Financial loss
Merchants may be liable for fraudulent transactions resulting from EMV bypass cloning, especially if they fail to implement proper security measures or do not comply with the required standards. This can lead to chargebacks, where the merchant must refund the transaction amount to the cardholder and possible fines and penalties.
Loss of reputation
Fraud incidents, including EMV bypass cloning, can damage a merchant’s reputation. Clients may doubt the safety of the merchant’s payment system, and the choice to shop elsewhere leads to declining sales and customer loyalty.
Increased operational costs
Dealing with the aftermath of fraud can be costly for merchants. They may need to invest in additional security measures, update their payment infrastructure, or hire experts to help mitigate the risk of future incidents. Furthermore, merchants may face higher payment processing fees due to an increased risk profile.
Legal and regulatory consequences
Suppose a merchant is non-compliant with industry standards (such as the PCI DSS). In that case, they may face fines, penalties, or legal consequences. Non-compliance can also lead to increased scrutiny from regulatory bodies and the potential for more severe penalties in the event of future security breaches.
Loss of productivity
Merchants may need to divert resources, including time and personnel, to deal with fraud-related issues. This can lead to a loss of productivity and additional expenses as merchants focus on addressing the fallout from EMV bypass cloning incidents.
How can consumers protect against EMV bypass cloning?
Consumers can take several steps to protect themselves against EMV bypass cloning and minimize the risk of a falling victim the fraud:
Monitor account activity regularly.
Review your account statements and online banking activity to quickly identify unauthorized transactions. If you notice anything suspicious, inform your bank or card issuer immediately.
Use contactless payments
Touchless payment methods, including mobile wallets and contactless EMV cards, often use additional layers of security that make it more difficult for fraudsters to clone cards. By employing contactless payment options, you can reduce your risk of falling victim to EMV bypass cloning.
Be vigilant at POS terminals.
When using your card at a point-of-sale (POS) terminal, be cautious of any unusual activity or signs of tampering. Skimming devices can be used to steal card data, which can then be used for EMV bypass cloning. If something seems off, consider using a different terminal or reporting the issue to the merchant or your card issuer.
Protect your card from physical theft.
Store your card in a safe place, and never leave it unattended. In case lost or stolen card, report it to your issuer immediately to minimize the risk of unauthorized transactions.
Use strong, unique PINs.
Choose a strong and unique PIN for debit and credit cards that require a PIN that cannot be easily guessed. Avoid using easily recognizable numbers, such as your birthdate or sequential numbers. Change your PIN regularly and never share it with others.
Be cautious of phishing scams.
Fraudsters may use phishing emails, text messages, or phone calls to trick you into revealing your card information. Be cautious of unsolicited communications asking for personal or financial information, and never provide your card details to an unverified source.
How Can Consumers Protect Against EMV Bypass Cloning?
Merchants can protect themselves against EMV bypass cloning by implementing several security measures and best practices:
Ensure EMV compliance
Ensure your point-of-sale (POS) terminals are EMV-compliant and updated with the latest software and security features. This can help reduce the risk of vulnerabilities that criminals can exploit for EMV bypass cloning.
Educate employees
Train your employees on properly using EMV chip card technology and the potential risks of EMV bypass cloning. This can help them identify suspicious activity and prevent fraudulent transactions.
Implement additional security measures.
In addition to EMV compliance, consider implementing other security measures such as end-to-end encryption, tokenization, and strong access controls for your POS systems. These added layers of security can help protect your business from fraud and the financial losses associated with EMV bypass cloning.
Monitor transactions
Keep a close eye on transaction activity and look for unusual patterns or signs of potential fraud. Should you observe any unusual activity, promptly notify your payment processor or card-issuing company.
Secure your network
Ensure your business network is secure and protected from cyberattacks. Regularly update your software, use strong passwords, and install firewalls to prevent unauthorized access.
Be cautious of phishing scams
Inform your staff about the risks associated with phishing emails and
Text messages or phone calls may attempt to trick them into revealing sensitive information or granting access to your systems.
Conduct regular security audits.
Periodically review your security protocols and conduct audits to identify any potential vulnerabilities that could be exploited for EMV bypass cloning. Address any identified weaknesses promptly.
Role of Technologies in Containing EMV Bypass Cloning
Emerging technologies such as biometric authentication, artificial intelligence (AI), and blockchain hold significant promise for improving chip card security in the future. For example, biometric authentication, such as fingerprint or facial recognition, can help to further enhance cardholder verification and prevent unauthorized access to cards.
AI can be used to analyze transactions in real-time, detecting anomalies and patterns that may indicate fraud. This can help prevent unauthorized, fraudulent transactions and enable faster and more accurate detection of fraudulent activity.
Blockchain technology, which provides a decentralized, tamper-resistant ledger of transactions, can improve the security and transparency of payments, making it more difficult for cybercriminals to manipulate or steal transaction data.
As the payment industry continues to evolve and face new threats from cybercriminals, staying abreast of these emerging technologies and incorporating them into payment systems to maintain consumer trust and security will be essential.
Secure Transactions in a Digital World
EMV chip cards were developed to provide a more secure payment method than magnetic stripe cards. However, new threats like EMV bypass cloning have emerged, prompting consumers, merchants, and the payment industry to remain vigilant in addressing these challenges.
All stakeholders must continue working together and stay informed about emerging technologies to enhance payment security and minimize fraud. Consumers should proactively monitor their account activity and utilize secure payment options, while merchants must maintain EMV compliance and adopt additional security measures. By collaborating and staying ahead of evolving threats, we can ensure electronic payments’ ongoing success and security.
