Getty Images/iStockphoto
A British security researcher has proven this week that it is still possible in 2020 to create older-generation magnetic stripe (magstripe) cards using details found on modern chip-and-PIN (EMV) and contactless cards, and then use the cloned cards for fraudulent transactions.
In a whitepaper named “It Only Takes A Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem,” Leigh-Anne Galloway, Head of Commercial Security Research at Cyber R&D Lab, tested modern card technologies from 11 banks from the US, the UK, and the EU.
Galloway discovered that four of the 11 banks still issued EMV cards that could be cloned into a weaker magstripe version that could be abused for fraudulent transactions.
Image: Cyber R&D Lab
Under normal circumstances, this should not be possible. EMV cards were designed to be hard to clone, primarily due to the secure chip included with each one.
However, Galloway’s whitepaper explains in a step-by-step guide on how to take data from an EMV card and create an older-generation magnetic stripe clone.
This technique — of cloning a magstripe version from an EMV card — is not new and has been documented as far back as 2007.
I demonstrated cloning from chip data to magstripe but the banks said that cards issued after 2008 would not be vulnerable and chip data would be “useless to the fraudster”. This new research shows that the problem still has not been fixed, 12 years on https://t.co/6VX8n84hDb
— Steven Murdoch (@sjmurdoch) July 10, 2020
Cloning magstripes from EMV data is, in fact, the way how many carding gangs still operate today.
Crooks use skimmer or shimmer devices to collect data on EMV cards, they create a magstripe clone, and then they use this clone to make fraudulent transactions at Point-of-Sale (POS) systems or withdraw money from ATMs in third-world countries where EMV cards have not been rolled out and magstripe cards are still accepted.
Banking industry still slow to adopt proper security practices
In her whitepaper, Galloway explains why this is still possible.
“First, the commonalities between magstripe and EMV standards for chip inserted and contactless mean that it’s possible to determine valid cardholder information from one technology and use it for another,” Galloway said.
“Secondly, magstripe is still a supported payment technology, likely because the adoption of chip-based cards has been slow in some geographic regions around the world.
“Third, although magstripe is a deprecated technology in many of the countries tested, cloned data is still effective because it is possible to cause the terminal and card to fallback to a magstripe swipe transaction,” the researcher added.
“Finally, card security codes, a critical point of card verification, are not checked at the time of the transaction by all card issuers.”
This last point is the more significant issue. As Galloway pointed out in a conversation on Twitter with this reporter, card security codes (CSC, CVV, or CVC values printed on a card) should be unique per technology and should always be validated.
The card security code (cvv etc) should actually be unique to the method: chip/nfc/mag stripe. The main point is that issuers do not correctly validate transaction data as a result skimmers and fraud are still big business
— Leigh-Anne Galloway (@L_AGalloway) July 9, 2020
While banks don’t have full control of what card/payment technologies are supported in other countries, and they’ll still have to support older technologies for legacy purposes, they have the power to verify transactions correctly.
However, as Steven Murdoch, Research Fellow at University College London, also pointed out on Twitter, the reality is that banks still fail to enforce this simple rule, even now, in 2020.
Transactions are still approved with the wrong security code, from another card technology, and even without it. By not properly verifying security codes, this leaves the door open for carding gangs to continue to operate by copying and downgrading the newer EMV cards into magstripe clones to abuse overseas, in countries where magstripe cards are still accepted.
Back in 2007, UK issued cards had an exact copy of the magstripe on the chip. From 2008 cards were supposed to have a different CVV between the magstripe and the chip. However this new security feature is pointless if magstripe transactions with the wrong CVV are accepted!
— Steven Murdoch (@sjmurdoch) July 10, 2020
The card security code (cvv etc) should actually be unique to the method: chip/nfc/mag stripe. The main point is that issuers do not correctly validate transaction data as a result skimmers and fraud are still big business
— Leigh-Anne Galloway (@L_AGalloway) July 9, 2020
Galloway said that while the whitepaper focused on EMV cards, contactless (NFC-based) cards can also be abused in the same way to create magstripe clones to be abused for fraudulent transactions.