Compromised security in millions of cards in the US

In the last 12 months, hackers compromised 60 million cards from the United States

Chip and PIN technology has become the established standard for payment card transactions in the United States. However, the failure to comply with security measures by many traders implies that millions of payment cards remain vulnerable, as considered by specialists in digital forensics from the International Institute of Cyber Security.

Chip cards, which contain a microprocessor that encrypts its data, are a safer alternative to magnetic stripe cards, at least in theory. They also implement the Europay, MasterCard and Visa global standard (EMV) for the compatibility of the cards with the terminals at the points of sale. These cards were used massively since Visa, MasterCard, American Express and Discover, the four major credit card issuers in the US, decided to transfer responsibility for possible frauds with payment cards to traders in 2015, if these did not have an EMV system.

The point is that reality differs from the security estimates of these systems. According to a study of experts in digital forensics based on data collected from various sources in dark web, about 60 million cards in the US were compromised during the last 12 months. Out of these, 93% were enabled for EMV chips.

In addition, data from 75% of these cards (almost 46 million) were stolen from transactions in which the victim was present. These cards are likely to be compromised due to malicious programs and point of sale violations in establishments such as hotels or restaurants. Cases of Chili’s or Cheddar’s Scratch Kitchen, for example, are a sign of this.

The study also states that the US is the country where most cards have been compromised, with 37.3 million of stolen records.

In the past 12 months, approximately 15.9 million of other countries’ committed payment cards were put on sale on the black market, divided between 11.3 million of online transaction registers, and 4.6 million of victim present transactions. According to experts in digital forensics, this means that the level of card data theft in the US is 868% higher than in the rest of the world.

It is believed that the main reason is the limited commitment by US traders to meet minimum safety standards, as many of them still use the magnetic stripe to achieve their transactions.

“Multiple points of sale still use the magnetic stripe instead of chip systems, so they completely neglect the safety features of EMV,” as considered by specialists in digital forensics. “In some cases, retailers refuse to migrate to EMV technology because of the high cost of this, as it is necessary to invest thousands of dollars, something that few retail companies can afford.”

In addition to the problem of small business adaptation, malicious hacker groups, such as the so-called FIN7, tend to compromise the networks of small traders, finding their way to payment terminals and deploying malware to extract data from the cards, a situation that makes it even more complex to update payment systems and make them as safe as possible.

Experts also consider that card data is also collected through a less automated method, using hardware known as “shimmers”, which is responsible for recording and deleting ATM data and payment terminals. The shimmers are placed between the chip on the card and the chip reader in a cashier or in a terminal, recording the chip data while the machine reads the card.