Nov 16, 2016 Walt Wojciechowski
EMV cards are a step up from magnetic stripe cards. While the latter store static information that hackers could steal through skimming techniques, the former contains dynamic data that's difficult to duplicate.
Despite the advantages associated with EMV cards, they're not completely devoid of security flaws. Every technology, no matter how advanced or contemporary, has its vulnerabilities, and the latest chip cards are no exception.
How can hackers use EMV cards to commit fraud?
While it's difficult, if not impossible, to counterfeit an embedded chip, hackers are using a different method to commit fraud with EMV cards. As reported by CNN, payment technology developer NCR delivered a presentation at the Black Hat 2016 conference in Las Vegas earlier this year showing just how hackers could compromise EMV cards.
Most EMV chips also contain magstripes. Whenever a cardholder inserts his EMV card into a PIN pad, the magstripe tells the device to communicate with the chip. Cybercriminals could exploit this process by rewriting the magstripe to dupe PIN pads and other point-of-sale systems into thinking they're interacting with a magstripe card.
PYMNTS.com cited insights from Randy Vanderhoof, director of the U.S. Payments Forum, who noted that the heart of the problem lies with the magstripe.
"If the data on the magnetic stripe is altered it might fool the terminal, but when the authorization request gets to the issuer, they can recognize it was altered because they know what information should be on the magnetic stripe, and will therefore reject the transaction," said Vanderhoof. "These kinds of risks with magnetic stripe cloning or altering is exactly the kind of problem that EMV is best at preventing."
How organizations can protect themselves
Businesses should shape their fraud prevention strategies around their operations, covering vulnerabilities inherent in particular processes.
One fraud detection and prevention method involves using bank verification and aggregation solutions to spot anomalous behavior among repeat customers. With the right input, machine learning tools can distinguish users based on their actions. Bank verification and aggregation solutions track consumers' bank account transaction history (with the consumers' permission). Depending on how merchants integrate that information into their operations, they can set alerts that indicate when anomalous behavior occurs.
End-to-end encryption is another effective fraud prevention asset. According to the National Institute of Standards and Technology, E2EE occurs when a device encrypts information the instant it's created. Once the recipient (such as a payment processor) receives the encrypted data, the information is decrypted. In conventional circumstances, an intermediate asset such as a server, would decrypt the data before sending the it to the party receiving it. The latter process in itself creates a vulnerability which E2EE does not.
Payment terminal manufacturers such as Ingenico and Verifone offer E2EE through their devices, as noted by PYMNTS.com. However, the device makers noted merchants must turn the EE2E functions on in order to benefit from them.
Effective fraud prevention strategies are adaptable. As new technologies come to market, companies will have to cope with new threats.