How EMV chip cards are cloned

A group of specialists from a cyber security course have created a similar method to that used by threat actors to create magnetic stripe payment cards (a technology considered from the previous generation) using some details typical of the most modern payment cards, based on chip and PIN technology (EMV), the most sophisticated cloning card method. 

This research, led by cybersecurity specialist Leigh-Anne Galloway, found that four of the 11 banks analyzed were still issuing EMV cards that could be cloned into a lower-security magnetic stripe version, which could be leveraged by threat actors. The research, published under the title “It only takes a minute to clone a credit card, thanks to a 50-year problem”, was recently published.

Under normal circumstances, this should not be possible, as the main purpose of EMV cards is to prevent cloning thanks to the implementation of a chip. However, cyber security course researchers found that it is possible to take data from an EMV card and create a previous-generation fraudulent card. Researchers note that this technique has existed for at least 13 years.

This is just one of the many forms of cloning payment cards used in the cybercriminal world.

As experts from the cyber security course have previously reported, hackers use special devices (skimmers) to intercept EMV card data, creating a magnetic stripe clone in order to perform fraudulent operations at multiple points of sale, or to withdraw money from ATMs in places where ATMs still recognize magnetic stripe cards.  

In the document, Gallow mentions: “The common points between the magnetic stripe and EMV standards for the chip imply that it is possible to determine the valid cardholder information of one technology and use it for another.”

While magnetic stripe is an outdated technology, cloning card data with chips remains a highly efficient method. In addition, card security codes, a key security feature, are not verified at the time of the transaction by all card issuers.

Galloway said that while the investigation focuses on EMV cards, contactless (NFC-based) cards can also be abused in the same way to create magnetic stripe clones and conduct fraudulent transactions.