New Microchip-Enabled Payment Cards May Still Be Vulnerable to Exploitation by Fraudsters
Despite large investments by retailers, banks and payment card providers, the shift in the United States to chip-based “EMV” cards has made only a small dent in the card fraud problem.
The newer cards, which feature an electronic chip designed to verify transaction data at payment terminals, offer additional security. But slow adoption by retails and a shift to online fraud means consumers remain vulnerable, and have to be careful about using and protecting their EMV cards.
With traditional payment cards, the magnetic strip on the back of the card contains static personal information about the cardholder. This information is used to authenticate the card at the point of sale (POS) terminal, before the purchase is authorized. When a consumer uses an EMV card at a chip POS terminal, that transaction is protected using the technology in the microchip.
But a number of challenges remain. Nearly two years after the rollout of EMV cards, only about a third of U.S. merchants – typically the larger retailers have adopted the required payment terminals. As a result, most transactions are still verified with the less-secure magnetic strip.
In addition, most hackers merely shifted their efforts from in-person purchases to online fraud. It remains far too easy for people to, in the wake of a large data security breach, buy compromised payment card numbers and make unauthorized purchases.
And in a new form of fraud, some hackers have altered the magnetic strip on the back of stolen payment cards (which is supposed to tell the terminal to use the shift instead of the magnetic stripe to verified the transaction) to falsely tell the payment terminal that the card does not have a security chip — paving the way for continued fraudulent use.
Protect Your Cards
Consumers should closely safeguard the security of their EMV cards and PINs. This includes being vigilant in handling, signing, and activating a card as soon as it arrives in the mail, reviewing statements for irregularities, and promptly reporting lost or stolen credit cards to the issuing bank. Consumers should also shield the keypad from bystanders when entering a PIN, as PINs are vulnerable to cybercriminals who work to steal these numbers to commit ATM and cash-back crimes.
The FBI encourages merchants to handle the EMV card and its data with the same security precautions they use for standard credit cards. Merchants handling sales over the telephone or via the Internet are encouraged to adopt additional security measures to ensure the authenticity of cards used for transactions.
At a minimum, merchants should use secure servers and payment links for all Internet transactions with credit and debit cards, and information should be encrypted, if possible, to avert hackers from compromising card information provided by consumers.
Credit card information taken over the telephone or through online means should be protected by the retailer to include encrypting digital information and securely disposing written credit card information.
If you believe you have been a victim of credit card fraud, reach out to your local law enforcement or FBI field office, and file a complaint with the Internet Crime Complaint Center (IC3) at www.IC3.gov.