My card has a chip, so how did I get skimmed?
In past columns, we discussed the adoption of the credit/debit card EMV system (known as “the chip” to everybody outside Europe) and the subsequent implications for consumer fraud protection. With very little fanfare, at the beginning of the year nearly every cardholder received a new card in the mail with a shiny new integrated circuit right on the front. Many consumers immediately felt more secure.
On paper, the chip is hard to argue against. Instead of performing transactions using the magnetic stripe with all the card’s essential information stored in plain text, why wouldn’t we feel more secure with an encrypted method?
Unfortunately, peace of mind can be dangerous in itself. Consider the experience of Boise State sophomore Brittany Green.
“I logged on to my bank account one Saturday and saw that something didn’t add up,” Green says. “When I looked at my card history, I saw that somebody sent two Western Union transfers to Pakistan — each for $249 — back to back in the middle of the night. I didn’t even think that was possible with the new card.”
“I had missed it somehow, but a month prior, somebody tried to take out a cash advance at a casino in Las Vegas from the same card,” she says. “I’ve never even been to Vegas.”
Her story is not unique, nor is it surprising, given the state of the chip transaction system in the Valley. While there are a few documented exploits of certain implementations of the chips themselves, the biggest risk, especially on the local level, is simply the fact that many vendors have not yet switched to it and don’t seem to be making the shift anytime soon.
The chip itself is generally safe, but it means absolutely nothing for transactions that still use the magnetic stripe. You probably see them four or five times per day: point-of-sale terminals with a helpful “chip coming soon!” sign sticking out of the bottom.
These systems require cardholders to swipe their cards, transmitting the card’s essential data in easily interceptable plain text. Anytime people use a point-of-sale system where chip functionality is not present, they run the same risk of falling victim to skimmers that plagued vendors like Target and Home Depot in 2012.
Most card issuers have already implemented a liability shift for vendors without chip-capable hardware, making the vendor, not the financial institution, liable for fraudulent transactions resulting from a lack of chip functionality on point-of-sale systems. But there are certain nuances that have not been officially rolled out yet, such as extended dates of liability for ATMs and gas pumps.
One of the two largest gas retailers in the Valley still refuses to adopt the chip as a matter of policy. Some small businesses still use the old stripe-only Square readers — nightmares in themselves when you think about an unknown vendor processing your debit card through a phone in plain text. What happens when you pay your bill at a restaurant and the waiter walks away with the card? Is that restaurant even chip-compatible?
Within the security industry, a popular approach is to use a designated credit card for point-of-sale purchases — as well as online purchases, further obfuscated through PayPal — and then pay that credit card off entirely every week while monitoring the transaction history closely.
This reduces the exposure your actual debit card and the associated checking account have to potentially compromised terminals and vendors. Even though the vendor is liable for chipless fraud incidents, the biggest advantage to this approach is that the actual money in your checking account isn’t gone while waiting months for a bank’s fraud department to sort out the issue.
More than anything else, Brittany Green and countless others likely fell victim to their own peace of mind. We see the chip, we’re told it’s “secure,” and we let our guard down. It’s easy to do, but in an area where it seems that nearly half of vendors are not using the chip system, the added security measures it offers are moot.
Every time you use your card, note whether you’re asked to insert or swipe. If you’re forced to swipe, you might be better off reaching for the cash in your wallet instead of your card.
Neal Custer is president of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc., and an adjunct professor at Boise State University. [email protected] Written in collaboration with Dylan Evans, Reveal’s vice president of operations. This column appears in the April 19-May, 16, 2017, edition of the Idaho Statesman’s Business Insider magazine.