Gemini Advisory experts published a report, according to which two precedents were discovered on underground hacker forums when hackers collected EMV card data and put this information up for sale.
Edition ZDNet says that recently, analysts at Cyber R&D Lab conducted an interesting experiment related to EMV cards. The researchers issued EMV cards with a chip in 11 banks in the US, UK and EU, and then used hacking tools against them, which are usually used to copy information stored on EMV cards and their magnetic stripes.
As a result, the researchers were able to extract data from EMV cards and created clones with the same magnetic stripe, but without the actual chip. This turned out to be possible due to the fact that all EMV cards have a magnetic stripe just in case, for example, for a situation if a user has gone abroad and cannot use EMV, or there is an old PoS terminal.
The fact that it is possible to copy the magnetic stripe of EMV cards has been known since 2008, but it was believed that this feature could hardly be abused, since banks planned to transfer all users to EMV and generally refuse to use magnetic stripes. As practice has now shown, this did not happen, and Cyber R&D Labs specialists reported that they managed to clone four cards in the above described way and carry out transactions.
However, until this week, the problem was still considered rather purely theoretical, since it was not known about the massive use of this technique by hackers, and now such precedents have been discovered by experts at Gemini Advisory.
The researchers write that the EMV card data was stolen from the American supermarket chain Key Food Stores Co-Operative Inc., as well as from the American liquor store Mega Package Store.
The fact that criminals have started cloning EMV cards seems to confirm and warningsent out this month by Visa. Visa representatives write that malware such as Alina POS, Dexter POS and TinyLoader have been updated and can now collect information from EMV cards, which was not previously observed, since the data collected in this way usually could not be monetized.
Gemini Advisory believes that the method that criminals began to use was described as early as 2008, and that this technique, EMV-Bypass Cloning, was the subject of recent research by Cyber R&D Labs.
I demonstrated cloning from chip data to magstripe but the banks said that cards issued after 2008 would not be vulnerable and chip data would be “useless to the fraudster”. This new research shows that the problem still has not been fixed, 12 years on https://t.co/6VX8n84hDb
– Steven Murdoch (@sjmurdoch) July 10, 2020
In theory, it is not too difficult to defend against such attacks: it is enough for banks to conduct more thorough checks when processing transactions from magnetic stripes of EMV cards. But, alas, as a study by Cyber R&D Labs has shown, not all banks pay attention to this.