Curios fact: in the United States the transition of merchants to EMV cards (popularly known as chip-and-pin cards), which has the purpose of fighting fraud, is actually driving fraud losses up.
Here’s the thing: despite the fact that the deadline for U.S. merchants to adopt chip-and-pin cards has long passed, there’s still a lot of shops who haven’t switched to the new standard. According to Visa, though the top five big merchants that have adopted EMV saw their fraud levels decrease by 18.3 percent. On the flipside, merchants that haven’t switched over are seeing fraud levels rise by 11.4 percent.
The reason is that fraudsters are really desperate in an attempt to get their money while the transition is in transition.
— Pivot Point Security (@pivotpointsec) April 22, 2016
What is the difference after all?
The magnetic stripe on your card contains static data in plain text. Since the data is unencrypted, it’s not that difficult to steal it using rather cheap and common hardware, called skimmers. And since it is static, once stolen the data can be used to clone your card and to steal your money as a result.
Think of this data as a ‘password’: a culprit needs to steal it just once, and after that he’s able to login to your account any time he wants.
In contrast, a new shiny chip-and-pin card, as you can guess from its name, contains a built-in chip which does some crypto magic. Instead of static ‘passwords’ new technology uses dynamic ones securely generated for each payment individually.
— Kaspersky Lab (@kaspersky) February 19, 2015
In reality it is a bit more complex, but to put it simply the core idea is very close to SMS one-time-passwords you use to login to your online-banking, or to your Google and Facebook accounts. Stealing a ‘password’ used for this or that particular transaction makes no sense at all: it won’t work the next time.
Chip in a card is not just a storage of information, but quite powerful computer which can actually talk to payment terminals and ATMs in order to prove its authenticity. It can’t be cloned. Well, perhaps it can be, as long as nothing is really impossible in the digital world, — but at least this operation would be way more complex than cloning traditional magnetic stripes.
— Kaspersky Lab (@kaspersky) February 5, 2015
All in all, EMV cards are a whole another ballpark for fraudsters. And that is exactly why they are racing against time currently, while they still have an opportunity to use old good cloned magnetic stripes.
Why is the transition to EMV so slow?
There are two reasons for this slow chip-and-pin adoption pace: huge cost and bad planning. Can you imagine how many payment terminals are there in the United States? To complete the transition to the new technology, every last one of them has to be replaced with a new one. You bet it will cost merchants a fortune. And nobody likes to pay if it isn’t completely necessary.
The fact is that until October 1, 2015 it wasn’t. Merchants were not responsible for card fraud, credit card companies covered the losses related to any fraudulent purchases. What has changed after the above mentioned deadline is that now merchants who still don’t accept chip-and-pin cards are themselves responsible for these losses.
— Kaspersky Lab (@kaspersky) January 21, 2015
Well, and that’s the part where bad planning enters the stage: now there are too many merchants at once who want to switch to EMV. The problem is, buying new equipment is just the first step, the payment systems must be certified in order to start working. And there’re simply too many merchants waiting in line, so the certification process will take considerable time.
And fraudsters definitely are going to use this time to make their buck.
Surprise! Transition to chip-and-pin cards is increasing fraud in #USATweet
What does this mean for me?
Using plastic cards was never completely safe, but now it is even more dangerous since it’s clearly an outbreak of card fraud happening right now in U.S. That’s why you should be more cautious and follow these tips:
If you still don’t have a chip-and-pin card, ask your bank or credit card company to issue one to you.
Should you use an ATM, choose one located in well-lit and secure areas – the best choice is ATM inside of a bank. Respectively, avoid using standalone ATMs in secluded areas or in dark alleys.
Instead of signing your card, write ask for ID on the reverse. Should you use a non-EVM machine, this will add an additional layer of security for you and show if the cashier is up on their security.
Keep an eye on your card charges. If your bank provides SMS notifications, enable this option. You can also set up email alerts if offered as well. The sooner you discover the evidence of theft, the easier it will be to get your money back.