October 6, 2016
New security flaw in EMV system revealed
Internationally, retailers and consumers alike are dealing with the frustrations and inconveniences of EMV chip cards in exchange for the promise of increased security. EMV-enabled cards were designed and marketed as a means of protection against the credit card fraud and data theft that has plagued physical transactions (at retailers like Target and Home Depot) for years. The tiny chip in each EMV-enabled card contains its holder’s personal information and has long been touted as nearly impossible to breach or counterfeit.
Researchers at NCR Corporation have found a security flaw in the chip cards that has raised a few questions. When a consumer uses a chip card on a card reader that is not yet EMV-compliant, the reader reverts back to taking the card information from the card’s magnetic stripe – the same magnetic stripe that’s still so vulnerable to theft. As of the end of June 2016, only 45 percent of the United States’ largest retailers were fully EMV-compliant, so the impact of this flaw could cause problems for both retailers and consumers.
“Chip cards still come with a magnetic strip so that they can be used at point-of-sale transactions with a merchant that has yet to upgrade to EMV-enabled terminals,” says CreditCardForum’s Ben Woolsley. “Hackers have now found a way to rewrite the code on the strip, making it act like a chip-less card again, allowing them to steal the card information.”
NCR employees Nir Valtman and Patrick Watson presented these findings at this year’s Black Hat security conference. They detailed how an attacker would be able to capture “Track 2” data transmitted from the card to the card reader by using a Raspberry Pi, causing it to appear not-yet chip-enabled and thus pull user data from the magnetic stripe.
“You can write the data to a magstripe card and if you’re offline, no one’s the wiser,” Watson said.
At present, these flaws are conjectural – as far as we know, no working EMV cards have been hacked. If you’re confident this revelation doesn’t apply to you because you’d surely notice someone hooking a separate computer to your POS, consider all the damage done by ATM skimmers – these days, criminals are creative and technology is tiny.
So what can you do to protect your stores from the faults in chip cards and their readers? Work with your payment terminal providers to make sure your transactions are encrypted, according to the NCR researchers. Simply upgrading your system does not mean automatic encryption, as even EMV-enabled payment machines are unencrypted by default.
The bottom line, says Watson, is this: “There’s a common misperception EMV solves everything. It doesn’t.”