By now you’ve probably heard that many banks and financial institutions are in the process of converting their payment and credit card systems to comply with new chip based security systems. I’ve already had a couple credit cards sent to me with the new metal chips embedded into them. However, many banks are not quite done making the change, and most stores do not have terminals that can even read the chips.
However, hackers never rest, and a few have found a way to exploit the banks that have inexplicably relaxed their fraud controls on the new EMV card accounts. Apparently the banks have not finished implementing the new security measures and while it’s in a “half-baked” state it’s apparently open to people exploiting the nature of the lax fraud detection measures.
For example, the chip based cards have data encryption as well as an internal “counter” of sorts in the chip that ticks up whenever a transaction is made. Major jumps in this number are a flag trigger for fraudulent and duplicate cards. Apparently certain banks have not enabled the policing of this counter and so fraudulent cards can still be used.
Krebsonsecurity.com encountered a hacker in a cyber crime forum selling a software program called “Revolution” that was designed to help people insert fraudulent and stolen card numbers into “intercepted” streams that use EMV card security holes in certain banks. The seller also offers to provide a list of those financial institutions that have half-baked EMV security measures in place.
According to the post that Krebs made,
“It appears that the Evolution software is designed to target banks that are in the process of architecting their payment networks to handle EMV transactions, but that nevertheless aren’t yet properly checking the EMV cryptogram and/or counter for these transactions. It also seems that some banks have inexplicably lowered their fraud controls on EMV transactions, even though they are not yet taking advantage of the added security protections offered by chip-based cards.”
Hopefully the red flag raised by Krebs will be able to stop the problem from spreading and push the banks to speed up their security implementation.
In the meantime, we highly recommend to keep a close eye (as always) on your credit card statements and immediately report any strange transactions to your financial institution.
Alternatively, keep an eye on this website as well as Krebsonsecurity.com so you will know when a store or financial institution has been hacked.