While the new EMV chip-enabled cards are designed to protect consumers against more fraud attacks, scammers are already taking advantage of the fact that entering a PIN is not required and not everyone has received them.
Millions of consumers are still left without the new cards that have a chip imbedded in them to reduce the frequency of identity theft, counterfeiting and hacking. Posing as the credit card issuers, these cyber criminals are claiming that consumers need to update their personal information or click on a link to receive a new card with the chip, wrote Colleen Tressler, a consumer education specialist for the Federal Trade Commission, in a blog post.
Consumers who fall for this tactic are giving scammers more personal information to commit identity theft. Clicking on the link means you could also install malware or software programs which monitor your activity online, steal personal information and commit fraud, she said.
Credit card issuers never ask their customers to update personal information in an email or phone call.
“Don’t respond to an email or phone call that asks you to provide your card number,” Tressler wrote.
Consumers need to practice restraint when they see a link in an email and learn to ignore it, said Marie White, CEO of Security Mentor, a Pacific Grove, Calif.-based security awareness training provider. Being more suspicious of messages is the best strategy for consumers to protect themselves from phishing attacks in emails, social media and even text messages.
“Phishers know how to make messages look authentic, so if a message asks you to give out private information, you should assume it is malicious,” she said. “Just because a message appears to be from a trusted source, such as your bank, doesn’t mean that it actually is. They simply craft messages that trick us into disclosing sensitive information.”
The mandate from credit card issuers has persuaded a large percentage of retailers, especially national chains to switch to the EMV (Europay, MasterCard and Visa) cards to lower their liability for fraud as data breaches become more commonplace.
“If a retailer decides not to change to EVM by the deadline, the burden of liability for any payment card information loss shifts from the payment processing bank to the retailer,” said Mark Parker, senior product manager at iSheriff, a Redwood City, Calif.-based provider of enterprise cloud security solutions. “This could result in significant costs for the retailer should a data breach occur.”
The benefit of the chip is that it creates a unique transaction code for each purchase, increasing the difficulty for hackers to use your card for in-store purchases, but it does not generate greater protection for online or phone purchases.
“Since the new EMV cards should never leave your hand, it removes the opportunity for someone to commit fraud since the card is always within your sight,” said Mary Ann Miller, a senior director of fraud executive advisor and industry relations for NICE Actimize, a New York-based financial crime software solutions provider.
The new cards being sent out in the U.S. are in reality only chip-and-signature ones since not all credit card issuers require that their customers enter a PIN, fearful that the requirement to memorize another password will scare customers away. While the new chip-enabled cards are being heralded as a way to thwart hackers, this diluted version has left a gaping loophole where customers can bypass entering a PIN and can merely sign for their purchases, similar to the method employed by their old cards bearing the magnetic stripes.
Even the FBI is casting doubt over the new cards and warns that they are still “vulnerable” and still give cyber criminals the opportunity to nab payment data, said Darrell Foxworth, a FBI Special Agent at the office of public affairs at San Diego office in a written statement.
“Although EMV cards provide greater security than traditional magnetic strip cards, an EMV chip does not stop lost and stolen cards from being used in stores or for online or telephone purchases when the chip is not physically provided to the merchant,” he said.
Since the majority of these cards do not require a PIN, they are not as secure as true chip-and-PIN ones long adopted by Europe, said Security Mentor’s White. Stolen cards with the U.S. chips are “more easily used by a thief as a signature is easy to forge,” she said.
Requiring a PIN adds a greater level of security, because the thief or hacker would have to know the code, said White.
“It is a second factor for authentication, something you have — the card — and something you know — the pin,” she said.
Since the majority of issuers are not requiring their customers to use a PIN, opting to use one does not increase the security of the transaction, said Miller. Until the U.S. migrates to a true chip-and–PIN system, consumers are still exposed.
The slow adoption by smaller retailers to switch to the EMV chip-based system requiring new hardware will only “open the window of opportunity for cyber criminals on many fronts” to conduct phishing attacks, Parker said.
“The amount of profit available for these attacks is very high and cyber criminals have shown that they are crafty enough to use any event as a window of opportunity to socially engineer and attack,” he said.
Consumers should refrain from using debit cards, especially since entering a PIN is not a requirement, said Geoff Sanders, CEO of LaunchKey, a Las Vegas-based decentralized mobile authentication and authorization platform.
“It’s generally wiser to use credit cards for purchases when possible because unlike debit cards, you’re not risking your hard-earned money,” he said. “A credit card is also a better choice because banks may take up to several days to refund fraudulent charges or withdrawals. If a criminal successfully drained your checking account through your debit card, you could be without money for quite some time.”
Cyber criminals won’t be content to rest on their laurels, especially as their sources of revenue are thwarted by new cards and technology, prompting them to move onto the next scam or hack, said Miller.
“They will replace that revenue with other forms of phishing, malware and data breaches,” she said.
Different types of fraud will occur as the criminals focus more on identity theft, taking over accounts and mobile payments, Miller said.
“Fraudsters seem to be attracted to money that moves faster like wire transfers or credit card transactions,” she said.
Retailers should expect to see increased attacks around the payment terminals since access to the data on the card remains a target, Parker said.
“For both consumers and retailers, attackers will use sophisticated phishing and social engineering attacks for the purpose of grifting personal info, account information and even payment card information,” he said.