Attack the Weakest Link – Fraudsters Break EMV By Focusing on Magnetic Stripe

This just in. Fraudsters have broken the Chip Card.  They have figured out a way to break the once though infallible technology with something remarkably simple.  Instead of focusing on the Chip itself, fraudsters focus instead of the magnetic stripe.  That’s right.  To break the Chip, just change the magnetic stripe.

Confused yet?  Well I was until I finally understood how brilliant it was. Let me explain further.

First, Let’s Understand Fallback

When EMV technology was implemented last year, merchants and banks decided to allow fallback to the magnetic stripe.  In fact, the magnetic stripe is often the first way that consumers in the US still default to.

The consumer will swipe their card.  The terminal will pick up the track details and analyze if it has a Chip embedded on the card.  If it does than it will force the consumer to put the card into the CHIP reader to process the transaction.

Fallback is necessary because not all cards have been migrated and the terminals still need to be able to handle magnetic stripe cards.

Herein lies the problem.  The magnetic stripe is essentially still used in the authentication of the card.  This is the vulnerability that is being exposed.

To Break the Chip Card, Simply Alter the Magnetic Strip

To break the Chip Card the fraudsters merely have to change the code on the magnetic strip that says the card is a chip card, to a code that indicates it is a magnetic strip card.


The magnetic strip on the credit card contains 76 characters that the machines reads to determine many things about the card.  By altering one of the characters, the fraudsters can fool the machine into thinking a CHIP card is actually a magnetic strip card only.

magstripe


NCR who does analysis on Chip Cards believes that this could have all been avoided by implementing end to end encryption on the cards which have rendered the stolen cards absolutely useless.  But that wasn’t done indicating that fraudsters will take advantage of any hole in the system they can.

You can read the full article by Tracy Kitten here who always does a fantastic job on writing about the latest fraud trends – EMV Loophole.

FallBack Transactions Allow the Fraudsters to Continue to Use Breached Data

Information on hundreds of millions of stolen cards are still available on the black market so the fraudsters are highly incented to make this scheme work.

Buying the card numbers is cheap for them and the altering of the magnetic strip is very easy. And the list of card numbers is growing everyday.  Hackers are still stealing card numbers even after the implementation of Chip card because the cards can still be used. You can read about  the recent Wendy’s Attack Here.

Over 700 million records that were data breached last year, means this vulnerability in Chip Card could have lots of legs.

databreachesrecord

The Weakest Link Principle Always Applies

You never want to be the only house on the block that doesn’t lock your door.  The crooks will always choose your house to break into.  The same applies with credit cards and right now the US is the only house on the block that isn’t locking our door.

It’s going to take years to make EMV work in the US but we will never achieve any benefit until processes like fallback are eliminated.  We won’t really stop most of the fraud until we implement PIN as part of the process as well.

Even then, we can expect that the fraudsters will just change the game again by finding another loop hole.  That’s just the fraud game.

What do you think about this?  Did you see this coming from a mile away?

Frank McKenna is the Chief Fraud Strategist for PointPredictive and a Fraud Consultant based in San Diego California