Europay, Mastercard, and Visa or simply called as EMV, is a secure technology that refers to a credit card with a smart chip. This technology was adopted by most of the banks worldwide as EMV Cards are believed to be more secure than the 50-year-old magnetic stripes technologies. But a Security Research Team recently made an experiment for 11 EMV (chip-enabled) cards from different banks in the United States, the United Kingdom, and the EU.
Generally, cloning an EMV enabled card is not possible as it was designed to be secured and can’t be cloned. Still, the British Security researcher had published the whitepaper “It only takes a minute to clone a Credit Card, Thanks to the 50-year-old problem” for their research on how to possibly clone a newly adapted technology.
The research team has successfully taken the data and was able to successfully create a magstripe version of the card. This is possible as EMV enabled cards still has their dedicated magstripe installed that can be used in case of fallback such as when a store uses an old Point of Sale machine or for when a user travels to a non EMV country. They have used the same tools that hackers used to obtain data from an EMV enabled card and their corresponding magnetic stripes.
This loophole is known since 2008, yet it was dismissed by the banking industry as they transition to EMV enabled cards.
The table below shows the result of how many EMV enabled cards are vulnerable to this cloning scheme.
It has also been recently reported that some card data are now up for sale in a Cybercrime forum. And some months ago, Visa has sent out an advisory that cards are being targeted by Cyber actors by sending out POS Malware: Alina POS, Dexter POS, and TinyLoader that were discovered from a compromised North American merchant.
EMV-Bypass Cloning is now believed to be the method that Cybercriminals use that was described many years ago.
This type of attack is easy to prevent if only Banks are implementing a thorough security check with magstripe cards that are associated with EMV technology. Some Banks are approving transactions, even with those who have incorrect security codes. This practice leaves an open door for Threat actors to continuously operate this kind of attack.