Prime Factors Blog

What Does Fraud Look Like in the EMV Era?

Posted by Pete Flagella on Mar 7, 2017 10:00:00 AM

Find me on:

ChipCardLock.jpgThe sad truth of life is that criminals will never be completely thwarted when it comes to achieving their goals. No matter how sophisticated safety techniques are, there is always someone ready to challenge them. EMV chips have been hailed as the new way to reduce fraud, but while it's making it harder on criminals, hackers are still finding ways to apply their talents to this new form of payment. We'll take you through what EMV fraud looks like at the stores, on the internet, and at the ATM.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

Brick and Mortar Relief

One of the most compelling reasons for the US to switch to EMV cards was that the United Kingdom saw 75% of their brick-and-mortar credit card fraud reduced in just over 8 years after implementing the new method. These cards give each transaction a unique code, meaning if a hacker gets ahold of the codes from the establishment, it can't be used for other purchases in the form of a counterfeit card. This type of roadblock was not 100% impervious to fraud, but the chips did make it much more difficult. The investment of time and effort required wasn't worth it for criminals. But while brick and mortar stores saw a reduction in theft, it wasn't as simple for other forms of fraud.

Online Is the New Brick

Once EMV cards were implemented in Europe, there was a rise in online transaction fraud. Criminals turned their attention to the virtual world for the easy scores they had become used to with the older stripe versions of credit cards. In 10 years, Europe saw 120% increase in card-not-present fraud. While they could no longer glean the necessary information to make purchases after hacking into the systems of a regular store, they could still obtain the card numbers and expiration dates and key them in manually for online purchases. Card numbers aren't difficult to find on the black market, and they're available for criminals of all levels. While many of those numbers are out of date and useless, some are valid EMV chip cards just ready to be taken. Criminals also infiltrated unsecured websites, public wi-fi networks, and even created fake online businesses to trick people into making false purchases.

Skimming Gets a Makeover

Skimming is a way of stealing credit card information through a small device placed on card readers (e.g., at gas stations, stores, ATMs., etc) Europe saw 131 million euros lost due to skimming fraud at ATMs. Recently, there's been a huge spike at fuel pumps, mainly due to the fact that it is both easy to commit skimming fraud and extremely difficult for gas station owners to switch their machines over to EMV technology. Visa recently delayed their deadline an additional three years to give owners more time to make the changes. In the EMV era, there are still merchants who are having a difficult time implementing the right safety measures, opening up more chances for fraud. But even as skimming becomes more widely known, it now has a very destructive cousin known as "shimming, which has been adapted to capture valuable information at EMV card readers throughout the world . While this technique isn't as universally known, that may change as more criminals understand how to get their hands on shimmers.

Small and Dangerous

A shimmer is a tiny device that can fit between the chip reader in the ATM and the chip on the inserted card. It was named because people have to shimmy the object to fit it into a fairly tight slot. It's impossible to see, making it difficult for regular consumers and merchants alike to take proactive measures to save themselves the hassle of fraud. Once the shim is in, it records the data transmitted from the chip onto the shim where the criminal can then retrieve it for later use. This information includes both the expiration date and the account number on the card. Once the criminal has this in hand, they can make a magnetic stripe card with the information. They would be unable to make an EMV-chip card due to the increased security values, but they can still do damage with a swipe card — practically every establishment still takes them. The customer would have no way to tell that anything was amiss until they started being alerted by credit companies of odd charges.

Take the Money and Run

Criminals can also compromise an ATM by trapping the cash that people would otherwise get out of the machine. When this happens, the card-holder keeps their card but can't get the cash. In this case, the criminals are only after the money, and for the most part, is an untraceable crime. The criminals will still need to come back to the ATM to pocket the cash, but they won't be able to glean PIN or account information from the card. EMV cards can also be physically stolen at the machine. Card trapping means that the card is swallowed by the machine until hackers can come to collect it. This compromises the PIN, and allows criminals to take the cards later to make cash withdrawals at other ATMs.

End-to-End Encryption

The best way to prevent credit card fraud is to implement tokenization and end-to-end encryption (E2E.) Many companies, including banks, are having difficulty implementing the right authorization methods when it comes to credit card transactions, which is why we're seeing certain types of fraud rise. Shimmers are rendered almost entirely useless to thieves when the correct security measures are put in place at both ATMs and standard card readers. True E2E encryption protects data from the second the card is 'dipped' into the machine until the bank receives the information, even if the machine has been compromised. Unfortunately, EMV cards will never be enough because the information can still be successfully intercepted. This security step goes one step further than standard measures to drastically reduce your chances of becoming a victim. 


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption.  

Topics: Tokenization, encryption, PCI Data Encryption, EMV