A British security researcher has actually proven this week that it is still possible in 2020 to develop older-generation magnetic stripe (magstripe) cards using information discovered on modern chip-and-PIN (EMV) and contactless cards, and then use the cloned cards for deceitful deals.
In a whitepaper named “ It Just Takes A Minute to Clone a Charge Card, Thanks to a 50- Year-Old Issue,” Leigh-Anne Galloway, Head of Commercial Security Research at Cyber R&D Laboratory, checked modern card innovations from 11 banks from the US, the UK, and the EU.
Galloway found that four of the 11 banks still provided EMV cards that could be cloned into a weaker magstripe variation that might be abused for deceitful transactions.
Under typical scenarios, this ought to not be possible. EMV cards were created to be tough to clone, mainly due to the safe and secure chip included with each one.
Nevertheless, Galloway’s whitepaper explains in a detailed guide on how to take information from an EMV card and produce an older-generation magnetic stripe clone.
This strategy– of cloning a magstripe variation from an EMV card– is not brand-new and has been recorded as far back as 2007.
Cloning magstripes from EMV data is, in fact, the method the number of carding gangs still run today.
Crooks utilize skimmer or shimmer gadgets to collect data on EMV cards, they develop a magstripe clone, and then they utilize this clone to make fraudulent deals at Point-of-Sale (POS) systems or withdraw cash from ATMs in third-world countries where EMV cards have not been rolled out and magstripe cards are still accepted.
Banking market still sluggish to adopt appropriate security practices
In her whitepaper, Galloway explains why this is still possible.
” First, the commonalities in between magstripe and EMV requirements for chip inserted and contactless mean that it’s possible to determine legitimate cardholder information from one innovation and utilize it for another,” Galloway said.
” Second of all, magstripe is still a supported payment technology, most likely since the adoption of chip-based cards has actually been sluggish in some geographic areas all over the world.
” Third, although magstripe is a deprecated innovation in many of the nations tested, cloned information is still effective due to the fact that it is possible to trigger the terminal and card to alternative to a magstripe swipe transaction,” the scientist included.
” Lastly, card security codes, a critical point of card confirmation, are not examined at the time of the deal by all card issuers.”
This last point is the more significant problem. As Galloway pointed out in a discussion on Twitter with this press reporter, card security codes (CSC, CVV, or CVC worths printed on a card) must be unique per technology and ought to constantly be verified.
Deals are still approved with the incorrect security code, from another card technology, and even without it. By not properly confirming security codes, this leaves the door open for carding gangs to continue to operate by copying and downgrading the more recent EMV cards into magstripe clones to abuse overseas, in countries where magstripe cards are still accepted.
Back in 2007, UK issued cards had an exact copy of the magstripe on the chip. From 2008 cards were supposed to have a different CVV in between the magstripe and the chip.
Galloway stated that while the whitepaper concentrated on EMV cards, contactless (NFC-based) cards can likewise be abused in the exact same method to create magstripe clones to be abused for deceptive deals.