Skip to main content

Credit card payments may not be as secure as you'd like

(Image credit: Shutterstock)

Chip-based credit and debit cards are perceived as being very good at fending off skimming attempts and malware attacks. Being able to use your card by tapping it appears to be better than swiping it along the magnetic strip on a point of sale (POS) terminal. But rising numbers of malware attacks on merchants in the US suggest there are weaknesses whichever method you use.

Criminals are exploiting the built-in technology centered around the EMV, the technology originally developed by the three major card suppliers; Europay, Mastercard and Visa. Encryption methods used in EMVs has long been seen as a more secure way of keeping data safe, especially compared to cards armed with just a magnetic stripe.

However, because not all outlets in the US have chip card readers, or due to the possibility of malfunctioning hardware, cards also still carry the magnetic stripe that can be used during transactions. This dual-functionality could be leaving merchants open to ‘shimming’ attacks, which can occur when a series of system cross-checks are being made during a transaction. These include checking the three-digit security code printed on the back of a card.

While all chip-based cards carry much the same data as the magnetic stripe, there are key differences between them. Central to this is a component called an iCVV, or integrated circuit card verification vale. This so-called dynamic CVV found on an EMV chip is different from the regular CVV on a magnetic stripe and helps protect against the magnetic stripe data from being used to create fake magnetic stripe cards.

Magnetic stripe cards

Security issues can also arise if financial institutions haven’t set up their back-end systems as well as they could have. 

Researchers at Cyber R&D Labs recently published a report illustrating how they tested 11 chip card setups from 10 different European and US banks. The results showed that it was possible to harvest data from four, resulting in the ability to produce working magnetic stripe cards that could be used for transactions. 

Indications suggest that point of sale (POS) malware is being used by criminals to capture EMV transaction data. This is then being resold on the Dark Web allowing thieves to produce magnetic stripe variants of chip-based cards.

Visa also recently released a security alert highlighting the issue of compromised EMV chip-enabled POS terminals. Malware variants included Alina POS, Dexter POS and TinyLoader. The alert issued a series of recommendations for merchants to follow in order to reduce the risk of exposure.