With EMV (Europay, Mastercard & Visa) becoming more widely accepted and adopted, it was assumed this problem would fade. The chip-enabled cards provide encryption and tokenization that is beyond the capabilities of criminals to break. But resourceful crooks will relentlessly probe systems, processes, and people until they find a weakness or an opportunity. That weakness is the magnetic strip that still exists on all EMV cards.
When a crook places a skimmer on an ATM, gas station, restaurant, or other point of sale device, they are still able to copy the magnetic strip’s data if the device accepts the entire card. This means that most ATMs, or anywhere a card is swiped because the merchant doesn’t support EMV, allow hackers access to the easy to defeat magnetic strip, even if the card itself is EMV.
Once a criminal has copied the magnetic strip, they will duplicate the card without the EMV chip. And, if the ATM or point-of-sale device criminals use to steal money from is not EMV compliant, the owner of the non-EMV device can be held liable for the loss incurred. This is because EMV enabled ATMs or POS terminals are programed to reject EMV cards that are swiped because the machine is expecting a chip.
For organizations with legacy equipment, all is not lost. It is worth working with your ATM service provider or credit card processor to build-in business rules to stop cloned EMV cards from taking advantage of your legacy equipment. For instance, during POS transactions where a customer swipes a card identified as EMV, it might be possible to have the terminal present the customer with a message to hand the card to the store employee. Employees could then be trained to verify the card has an EMV chip. And for ATMs, reducing the amount of money that can be withdrawn from non-EMV-compliant terminals makes it more difficult for bad guys to steal.
The best solution, however, is to install EMV equipment and stay vigilant for the next wrinkle in the bad guys’ playbook.
Nathan Horn-Mitchem is Senior Vice President and Chief Information Security Officer for Provident Bank. He is responsible for the Bank's Information Security, Cyber Security, Incident Response, and Data Governance Programs. Nathan's has nearly 15 years technology and security experience in financial services and pharmaceuticals. Nathan holds a bachelors degree in Business with a focus on Operations and Information Management from Georgetown University. He also holds a Certified Information Systems Security Professional (CISSP) certificate. Nathan has been featured in a number of business and technology journals including CSO Magazine, SC Magazine, Help Net Security, and the Provident Forum on Business.