Hackers Target Card-Swiping Consumers

July 02, 2016

Hackers Target Card-Swiping Consumers

By Roy Urrico
Credit Union Times

In the midst of the ongoing EMV transition comes news of skimming scams trying to catch unwary consumers, who swipe instead of dip, and new technology making POS devices more affordable.

Brian Krebs, author of the blog “Krebs on Security,” revealed that skimmers found at Walmart stores in Fredericksburg, Va., and Fort Wright, Ky., fit over existing EMV-enabled POS devices, and even include a slot for chip cards. The overlays sell for $200 to $300 on the dark web.

The skimmer has a PIN pad overlay to capture the consumer’s PIN, and an instrument for recording data stored on the card’s magnetic stripe when customers swipe their cards at self-checkout aisles.

According to Krebs, Walmart began rolling out the chip card readers, which also maintained mag-stripe capabilities, last year. The hackers want to exploit customers who forego dipping their chip card for the more familiar card swiping.

Chip-based cards are more costly and intricate for thieves to fake, and help lessen the threat from the majority of current card-skimming methods. There are consumer complaints that chip readers take longer for an authorization than just a swipe. This is because of numerous information exchanges between the card reader and the backend that the swipe method does not have.

As the transition to the EMV chip card liability deadline continues, merchants and issuers are still lagging behind when it comes to EMV-enabled POS implementation, leaving systems vulnerable and consumers confused.

A recent study from The Mercator Advisory Group revealed only 60% of credit cards in the U.S. were updated and only 20% card terminals had chip-reading capabilities.

Small and mid-sized businesses have been slow to adopt EMV technology because of cost and limited availability of the new terminals. Although EMV-compatible stand-alone terminals start at around $200 per unit, small businesses especially are often reluctant to pay for new devices.

Chicago-based payment processor Cardtek announced its EMV Contact and Contactless Level 2 Kernel Library certification through its ChipXpert solution, which may make EMV technology more affordable for smaller merchants.

The product provides secure transactions at retailers, transit locations, self-service terminals and other EMV-enabled locations.

Cardtek's most recent certification supports both contact and contactless payment schemes. This architecture also allows adaption to different terminal types such as tablets, parking devices, outdoor payment terminals, transit validators and retail terminals, according to Cardtek. The process also addressed the additional features of EMV L2 Kernel Library, which passed performance conditions required for open loop transit transactions.