The suggestion for this post comes to us by way of a post at boingboing which relies heavily on an item at Geminiadvisory titled Card Fraud on the Rise, Despite National EMV Adoption from last May.
While the chips on our credit cards may help, they certainly don't prevent fraud at the point of sale -- called "card-present fraud." Here are the key findings from Geminiadvisory:
- 60 million US payment cards have been compromised in the past 12 months.
- 45.8 million or 75% are Card-Present (CP) records and were stolen at the point-of-sale devices, while only 25% were compromised in online breaches.
- 90% of the CP compromised US payment cards were EMV enabled.
- The US leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records.
- Financially motivated threat groups are still exploiting the lack of merchant EMV compliance.
- An imminent shift from card-present to card-not-present fraud is already evident with a 14% increase in payment cards stolen through e-commerce breaches in the past 12 months.
And there's this:
Based on the proprietary Gemini Advisory telemetry data collected from various dark-web sources over several years, we have determined that in the past 12 months at least 60 million US cards were compromised. Of those, 75% or 45.8 million were CP records, likely compromised through card-sniffing and point-of-sale (POS) breaches of businesses such as Saks, Lord & Taylor, Jason’s Deli, Cheddar’s Scratch Kitchen, Forever 21, and Whole Foods. To break it down even further, 90% or 41.6 million of those records were EMV chip-enabled.
The card-present fraud is committed by malware, skimmers, or shimmers. Krebsonsecurity has a pretty good explanation of how the old skimmers worked. See Pro-Grade Point-of-Sale Skimmer They wouldn't work on a chipped card, but the newer version -- "shimmer" -- would.
What's a Shimmer? Here's the definition provided at Credit Card Glossary:
A paper-thin, card-size shim containing an embedded microchip and flash storage is inserted into the “dip and wait” card slot of an ATM or gas pump payment terminal that's indoors or outdoors. There it resides unseen to intercept data off your credit or debit card’s EMV chip for fraudsters. The intercepted data is used to create a magnetic stripe version of the card that can be used in payment terminals that haven't been updated with EMV chip technology.
The old saw still holds true: Deception, by definition, is always one step ahead of detection. So be aware.
------
2:15 PM 11/11/2018
Comments