New Security Flaw in Credit Card Chip System Revealed?

New Security Flaw in Credit Card Chip System Revealed?
Posted: Aug 16, 2016
Comments: 0
Author: Lou Grilli

Not true! Chip cards are solving the problem they were intended to solve.

A number of leading news organizations recently reported that a security flaw in chip cards has been discovered, questioning the security benefits offered by EMV technology. One article suggests there are ways to completely undo the security the chip-enabled cards provide. The articles pointed to research presented by two people from NCR, a payments technology leader. Their research was presented at Black Hat, a widely attended hackers convention where research, security flaws, and hacks are presented to the public and to fellow security experts with the goal of closing security gaps before they can be exploited.


The NCR presentation (click here to read) that caught the attention of major news outlets that cover payments is titled “Breaking the Payment Points of Interaction”. The two speakers, a software security architect and the head of application security, demonstrated that inserting “man in the middle” software in the payment stream at the merchant’s site, combined with a payments stream that is not end-to-end encrypted, provides the opportunity for fraudsters to capture payment data from a chip card transaction and use the stolen data either online or as a mag stripe transaction. The presenters accurately portrayed that chip cards do prevent counterfeiting of chip cards at the point-of-sale.


The presenters were able to demonstrate that when fraudsters use stolen payment data as described, they could make purchases from an online site, or commonly known as a card-not-present (CNP) transaction. Interestingly, they demonstrated that a counterfeit card could be created with the stolen data used to create a mag stripe card, with the track data altered to indicate that the card does not have a chip on it, so it can swiped, thus preventing the anti-counterfeiting benefits of EMV. This scenario only works on an offline terminal.  Offline terminals are not connected to the internet for real-time authorizations but rather authorizations are batched periodically. There are no offline terminals in the U.S., but they can still be found in other countries. The researchers never stated nor implied that there is a flaw in chip cards. They stated that “ There’s a common misperception that EMV solves everything. It doesn’t."


The point that the researchers made was that merchants who have upgraded their terminals to process chip transactions, but do not have encryption or have weak encryption, are leaving payment data vulnerable. Which is a completely accurate warning.


Twisted news reports

But some of the news outlets that carried this story twisted the results by reporting that chip cards are inherently flawed, that a security hole exists in chip cards, and indirectly implied that the estimated $6 to $8 billion spent on chip card upgrades didn’t solve anything.

To the contrary, reports are that the fraud reduction due to the use of chip cards can already be seen. MasterCard reported that "among their top five EMV-enabled merchants, counterfeit fraud in terms of U.S. dollars has dropped by over 60%”. And Visa reported that “among the 25 merchants who were suffering the most instances of counterfeit fraud at the end of 2014, five that began processing credit and debit cards equipped with the new EMV technology saw those infractions fall 18.3% as of the final quarter of 2015”. A Visa spokesperson said, “We’re seeing that EMV is having a positive impact on counterfeit fraud. Merchants who implement chip, their counterfeit fraud is going down, while those still finalizing plans, their counterfeit fraud is going up.’’

What does all this mean to credit unions?

First, don’t be misled by headlines that read “You Know Those New Chips in Your Credit Card? They’re Failing You Miserably”. Chip cards are solving the problem they were intended to solve by reducing counterfeit cards presented at the POS. Second, keep up member education to safeguard their cards. Remind your members to cover their hands when entering their PIN at the ATM. They need to be wary of unusual prompts at a terminal or request to enter a PIN a second time, either of which may indicate nefarious software inserted in the terminal.  Also, when shopping online, use Visa Checkout or MasterPass or Apple Pay instead of entering payment credentials into a website.  Always be alert for phishing scams and remind members to never click on links in an email unless they absolutely trust and can verify the sender. It seems obvious, but members should never enter their card numbers in response to a request sent via email or a phone call and it is a good practice for them to check their debit and credit accounts often, daily if possible, and report suspicious activity immediately.  If the slot where a cardholder inserts their card at an ATM or a gas pump doesn’t look right, they should move on while reporting the suspicious activity.  And, members should never access their banking or credit account over public Wi-Fi.  

Lou Grilli

Lou GrilliLou Grilli

Lou is the AVP of Product Development & Thought Leadership at Trellance. In this role, he is responsible for managing the organization’s product portfolio, as well as providing leadership on industry trends related to data analytics and payments.

Other posts by Lou Grilli

Full biography , Contact author

Please login or register to post comments.


Featured Stories