Computer researchers may have found a flaw in chip-based credit cards. Though the cards are designed to combat fraudulent cloning, apparently there’s a way to rewrite the magnetic strip code so it resembles the standard Europay, MasterCard and Visa (EMV) card.
Researchers at the payment technology company NCR presented their findings at the Black Hat computer security conference last Wednesday, CNN Money reported. “There’s a common misperception EMV solves everything,” Patrick Watson, one of the researchers, reportedly told the site. “It doesn’t.”
All a thief has to do is alter the data on the magnetic stripe so that it fools the terminal, the researchers said. As a result, the researchers suggested retailers encrypt whatever they can to help protect customers.
For their part, major machine makers Verifone and Ingenico said that they offer end-to-end encryption on retailer’s machines, CNN reported. Meanwhile, Jason Oxman, a spokesperson for the Electronic Transactions Association, a trade group, said via email that the issue “actually has nothing to do with the chips” at all. Here’s why:
“Every magnetic stripe on a chip-enabled card has a code on it that tells the POS at a retailer that if the customer tries to swipe the card, they should be prompted to insert the chip card instead. This ensures that the chip is used instead of the magnetic stripe. What this researcher figured out a way to do is alter the code on the magnetic stripe to say to the POS ‘I am not a chip card,’ and then to ask the POS to send the transaction to the issuing bank for approval as a magnetic stripe transaction. This is called a fall back transaction because the transaction should be a chip transaction, but it will fall back to a magnetic stripe transaction.
The issuing bank, when it receives the authorization request, will know that the card is a chip-enabled card [despite] the bad code on the magnetic stripe card, and the issuing bank will make the decision whether to approve the fall back transaction or not, based on a variety of factors. (The hacked code on the magnetic stripe card can only fool the POS, not the issuing bank.)”
Doug Johnson, senior vice president of the Payments and Cybersecurity Policy division at the American Bankers Association, said it’s important to remember banks’ additional protections for customers.
“End-to-end encryption is an important security measure for retail point-of-sale transactions that merchants have endorsed and should implement,” he said. “At the same time, it is important to remember that bank customers will be fully reimbursed for any unauthorized transaction against their account.”
If you carry a chip card and believe you’ve been a victim of fraud, you’ll want to contact your credit issuer immediately to cancel the card. After that, it’s a good idea to monitor your credit reports for any additional signs of trouble. (You can see your free credit report summary, updated every 14 days, on Credit.com.) You may also want to change your financial account passwords and pins to be on the safe side.