October 1 came and went in the US, marking the beginning of the “liability shift” wherein when fraud occurs, the card issuer or merchant will be held responsible for it and no longer the consumer, who is usually the “careless party” in such situations.
It has been 20 days now, and as far as I know, we have yet to hear news that the sky has fallen. Suffice to say, “So far, so good”.
Recently, Computerphile has published a YouTube video about the current tactics that fraudsters employ against EMV (or chip-and-PIN) cards. They interviewed Ross Anderson, a professor of Security Engineering at the Computer Laboratory at the University of Cambridge and a known expert in bank-related fraud.
Below are some takeaways from the video:
- The introduction of EMV cards decreased card fraud for a little while, but then it shot up again.
- Fraudsters can introduce an external, third-party device to a terminal wherein data from the card can be copied and relayed back to a false terminal elsewhere.
- Copied data from a chip-and-PIN card can be transferred into magnetic-strip cards and used in terminals that only process such cards (Author’s note: These duplicate cards can be used in countries where EMV cards are unpopular or not used).
- It is possible for fraudsters to physically tamper with legitimate EMV terminals and introduce other devices to them. In one case, fraudsters introduced a small mobile phone that texted back card details it was able to intercept to the fraudsters during a transaction.
- A product called “slim SIM”, which is being sold in China and used for cheap roaming services, can actually aid fraudsters in stealing card details. A “slim SIM” is an ultra-thin SIM chip that can adhere to regular SIM cards like a sticker, and it is capable of reading transactions between the SIM card and a mobile device. The same principle happens if used on chip-and-PIN cards while transacting with terminals. This ZDNet article published in late 2014 can give you more ideas on the potential risks a “slim SIM” can do.
Here is the actual Computerphile video:
The Professor may not have mentioned it in the video (He has in other publicly available media, though), but let us not forget terminals infected by malware can pose risks, too.
The existence of flaws in EMV technology is no secret. Like any other currently working system, it has its own unique vulnerabilities, too. Most of the tactics presented by Professor Anderson involve the tampering of EMV terminals, a problem that can only be addressed by the manufacturers and the banks themselves. In this case, there is nothing more users can do other than avoid paying by card in places where such “evil EMV terminals” could be found, such as strip clubs.
Users can also look out for signs of tampering in EMV terminals. If they find any, they should report it immediately to the retailer.
Keep learning, dear Reader, and remain vigilant with the security of your data.
Other related post(s):