Gemini Advisory, a U.S. cybersecurity firm, warned Thursday that hackers might have found a way around the tough security on ATM access cards with data-encrypting Europay, Mastercard, and Visa (EMV) without cloning them. The sale of stolen card data from two hacks in the U.S. this year is likely the result of the vulnerability being abused by cybercriminals, Gemini said in a report.
The report highlights that the technique can be “dangerously effective” if banks don’t perform a check when processing card transactions. The reverse is also true: If banks properly do security checks, the technique is blunted.
Gemini calls the technique “EMV by-pass cloning.” Briefly, by using malware on point-of-sale (POS) machines, a small but vital piece of data is extracted from the EMV chip called the iCVV number, which is needed for transaction verification. This number can then be copied onto the magnetic stripe on the back of a blank payment card. The criminal then swipes (not taps, because it doesn’t have a chip) the new card in a bank or retailer’s card reader, which reads the mag stripe and sees the iCVV. Without proper processing by the financial institution, it might be accepted as if it was the original card with an EMV chip.
In short, a crook can take information from an EMV chip and transfer it to a mag stripe on a different card. No need to clone the chip; the scam works because POS machines around the world still accept the less secure mag stripes for transaction information.
Gemini credited a report issued earlier this month by a consulting firm called Cyber R&D Lab with discovering the technique. Lab researchers did a proof of concept and then tested it on cards from 11 unnamed banks in Europe and the U.S., out of which four accepted transactions using the fake cards.
After reading the report, Gemini says it believes that this discovery explains the recent sale on the dark web of 720,000 payment card numbers with iCVV numbers from the January hack of a northeastern U.S. supermarket chain and the June 29 hack of card data from a wine and liquor store in the state of Georgia. Gemini also says it believes that the cybercriminals must have used the EMV by-pass cloning technique to get the iCVV numbers.
There is another way of getting iCVV numbers, and that’s by secretly installing an electronic shimmer inside a point of sale device or ATM to capture the number as customers use the cards. However, Gemini notes the two hacks involve too many payment card numbers for even several compromised POS devices to capture. So, it concludes, the by-pass cloning technique was used in those hacks.
“EMV technology has until now been as secure as it gets,” Christopher Thomas, an intelligence production analyst at Gemini Advisory, said in an interview. “So it’s significant there’s a workaround… That is certainly a cause for alarm. However, it’s also important to note that Cyber R&D Lab compromised four out of 11 cards, the verification systems of the other banks did work. This seems to be a problem that only affects banks that are not verifying the way they should be.”
The Canadian Bankers’ Association, which represents the country’s major banks, wouldn’t comment on the Gemini report. Instead, it issued the following statement, “Banks are leaders in cybersecurity and their highly-skilled IT security teams use advanced technologies to safeguard their operations and keep their customers’ money and data safe from illegitimate acts. Banks constantly scan the threat horizon to stay on top of ever-evolving fraud typologies and thwart attacks of all kinds.”
Now for the more detailed explanation of the Gemini and Cyber R&D Lab reports: Most people know the back of payment or access cards have a CVV number for card and transaction verification in what the payment industry calls “card not present” purchases over the phone or online. Buyers are sometimes asked to read out or type in the number.
The CVV number is also part of the hidden information (including issuing bank, cardholder name) on the magnetic stripe on the back of cards for point-of-sale machines to read when the cards are swiped in “card present” purchases in stores. The coding on mag stripes was cracked by cybercriminals decades ago, allowing them to create counterfeit payment cards with cloned mag stripes, thus forcing banks and credit card companies to adopt the EMV chip.
These chips are protected by tough data encryption that prevents cloning. The transaction data on every chip includes an iCVV number, which is different from the card’s CVV number. When processing a transaction with an EMV card, bank computer systems are supposed to compare the CVV number on the mag stripe to make sure it hasn’t been substituted for an iCVV number. If the card has it, then the card isn’t safe.
EMV chips have foiled counterfeiters since they were introduced in the late 1990s, first in Europe, then in Canada and more recently in the U.S. Last year’s Visa said for those merchants whose stores had converted to accepting EMV cards saw a 76 per cent drop in fraud over three years.
Criminals who use stolen credit cards for card-not-present transactions rely on data they can take from magstripes.
Use of NFC data
If it’s not hard to clone mag stripes, Cyber R&D Lab wondered if EMV data could be transferred to a mag stripe, getting around the problem of cloning chips. It did it by using the wireless Near Field Communication (NFC) capability on many EMV cards, the technology that enables tap-and-go transactions. To read the data from the NFC interface of real credit cards, researchers used an Android app called Card Reader Pro. This data was then compared to the data on the card’s magstripe for similarities or differences. Using that data the researchers could calculate the card’s iCVV number and substitute it on the mag stripe of a cloned card.
When a point of sale machine is used for a transaction, a bank is supposed to check the card security code for validity. If the process isn’t done right, a mag stripe card will seem to the bank to be an EMV card.