ATLANTA—Computer security researchers at NCR say they have found another way criminals can exploit chip cards.
EMV cards currently have a magnetic stripe, which is used as a default payment option where chip cards are not accepted. When a chip card is inserted into an EMV-ready POS terminal, the mag strip tells the machine to use the chip.
But NCR researchers say crooks can easily change that command, CNN Money reported. Presenting their findings at the Black Hat computer security conference last week, the security researchers demonstrated how credit card thieves can rewrite the magnetic stripe code to make it appear like a chip-less card again.
“This allows them to keep counterfeiting – just like they did before the nationwide switch to chip cards,” CNNMoney stated.
All this is possible, said CNNMoney, because of the way many retailers are upgrading their payment machines: They're not encrypting the transaction.
"There's a common misperception EMV solves everything. It doesn't," Patrick Watson, one of the researchers, told CNNMoney.
But the U.S. Payments Forum disputed the researchers’ theory, according to CNNMoney.
"If the data on the magnetic stripe is altered it might fool the terminal," said U.S. Payments Forum Director Randy Vanderhoof. But on the back end, the system would "reject the transaction."
The NCR research likely raises concerns—and the ire—of retailers who have complained about the cost and effectiveness of EMV. The study shows that a store could spend a significant amount on an EMV upgrade and still not protect their customers’ card data.
“Adding to the problem, payment terminal makers keep producing machines that don't have the encryption by default,” noted CNNMoney. “And vendors who sell and install these machines at shops don't simply flip the switch and turn on encryption. Retailers have to pay extra for basic security.”
The major POS machine makers, Verifone and Ingenico, both asserted they offer point-to-point encryption on retailer's machines – but it's up to retailers and their partners to turn it on, CNNMoney stated.