If new research from NCR about a flaw in chip cards proves to be reproducible by fraudsters, it may undermine the core benefit of EMV security.
Researchers at NCR say they have discovered a way for credit card hackers to rewrite the magnetic stripe code to make it appear as if it is a chipless card again, according to an Aug. 4 report from CNN Money.
The magnetic stripe on currently issued chip cards has coding that alerts the point of sale terminal that the customer is presenting a chip card. If hackers can write over that code, they could trick the terminal into thinking the card has no EMV chip, according to the report. NCR has not provided any information on its website about its research or the reported findings.
As such, it remains unclear whether a bank authorizing the transaction would be able to differentiate in real time between a chip card that has been tampered with, or a legitimate chipless card. Proponents of EMV chip cards have always been cautious in saying a chip card renders fraud at the POS as "nearly impossible." Its effectiveness for halting counterfeit fraud at the physical point of sale is well documented throughout the world, but merchants in the U.S. who have balked at the upgrade have often questioned why the new chip cards would continue to have magstripes. The networks have said magstripes would stay on cards for at least a few years as a backup if a chip reader was not working properly, or if a point of sale did not accept EMV cards, which remains the choice of the merchant in terms of accepting liability for fraud.
Gas station pumps, for example, are not required to accept chip cards until next year.
"Unless and until the industry removes mag stripes it will continue to be a major weakness," said Ben Knieff, a senior analyst with Aite Group. "Many institutions in Europe only issue stripe cards to people who travel (particularly to the U.S.). Part of this is that over the past years there has been a ton on ATM skimming in Europe where the skimmed information is used in the U.S."
However, Knieff questioned the scalability of the technique that NCR reportedly demonstrated.
"These sort of attack, just like skimming, require the criminals to physically re-code stripes and mules to actually extract funds or goods," he said. "Not that the scaling problems stop the criminals, but certainly impacts the actual level of risk, which may not be as high as it seems."