*Editorial Note: This content is not provided or commissioned by the credit card issuer. Any opinions, analyses, reviews or recommendations expressed in this article are those of the author’s alone, and may not have been reviewed, approved or otherwise endorsed by the credit card issuer. This site may be compensated through a credit card issuer partnership.
This article was last updated Nov 20, 2014, but some terms and conditions may have changed or are no longer available. For the most accurate and up to date information please consult the terms and conditions found on the issuer website.
Three U.S. financial institutions recently reported that they were flooded with fraudulent credit and debit card transactions. What was particularly strange was that this happened despite the fact that the charges were attributed to the newer, more innovative, and much more secure, chip-enabled cards.
Although the charges showed up as coming from credit cards with the newly embedded chip technology, the transactions were dated before these banks had even issued any chip-enabled plastic. Before you get too worried, I can reassure you that your chip-enabled cards are not flawed or vulnerable. In this case, the primary victims involved were the banks. None of the new chip-enabled plastic accounts were harmed in any way.
Can a Card Be Hacked Before it Even Exists?
This story reminded me of an order I recently placed online. When I checked the shipping status of my purchase to find out when it would be shipped, the information said that I had already received my merchandise. That wasn’t possible because I did not order it until late October and the tracking system said that it had already been delivered back in September. Unless the merchant read my mind a month in advance or I was caught in a time warp, that timeline did not make sense.
After an email to the merchant it was all sorted out and blamed on a goofy technical glitch. However, in the case of this recent credit and debit card fraud, the financial institutions are still on the hook for the damages. Even before chip-enabled cards were sent to their customers, criminals were already scamming banks with what appeared to be chip-enabled card transactions.
Not to Worry: Your Chip-Enabled Cards are Still Safe
The criminals pretended that they had chip-enabled cards, then they used account numbers associated with stolen magnetic stripe cards to create fraudulent transactions. When they processed those – probably using stolen merchant terminal hardware – they made them appear to be coming from a consumer’s chip-enabled card.
At first, the banks that were targeted suspected that the crooks had made clones of chip-enabled cards. That did not seem feasible, though, because these new cards contain a microchip that is extraordinarily secure. To copy or clone one of these would be very expensive and hard to do. Thieves have no financial incentive to go through all that hassle, which is another reason these cards are a lot safer than magnetic strip cards.
Why Would Hackers Do This?
The whole scenario certainly does raise some curious questions. Why would a hacker or credit card thief go through all of that extra trouble? What do they have to gain by jumping through hoops just to make a card transaction appear to be from a chip-enabled account?
We may not learn the answer to that question, but here is one theory: That the criminals assumed the banks would not be as concerned about security protocols with chip-embedded cards. Security is a big problem for the older magnetic strip cards, so banks are more cautious and pay closer attention to those transactions.
These days the least likely place for fraud to happen is through a chip-enabled channel. Ironically, that may make these new channels look like an easier target, at least for the moment, in the eyes of some creative cyber criminals.
Banks Left Holding the Bag
News reports said that these particular transactions were tied to the financial data that was stolen during the recent breach at Home Depot. The crime ring that submitted the fraudulent charges was based in Brazil.
In the aftermath of recent security breaches with retailers, the banks targeted are faced with losses in tens of thousands of dollars. They are taking a bigger hit than usual because banks have greater responsibility and liability when fraud happens to an account with a chip-enabled card.
In contrast, when a bank can prove that fraud was involved, they have only limited liability if the breach involved a merchant accepting older and less secure conventional plastic – the kind with a magnetic strip on the back.
Is This a Short-Lived Trend?
News of a story such as this can raise concerns about how likely this is to happen again, and how often. Online fraud expert Brian Krebs believes fraud of this kind will briefly spike during the United States’ transition from magnetic strip cards to EMV chip cards. “Fraud doesn’t go away, it just goes somewhere else,” said Krebs.
In the UK, online fraud rose almost 80% when the country switched to EMV credit cards and other countries saw almost a 50% rise in card-not-present fraud. On the contrary, consumers should expect counterfeit fraud to decline in 2015.
The general take-away here is that things are not always what they seem to be. Fraudsters will continue to find ways to steal card numbers and personal information no matter how the industry changes. Moving forward, consumers should focus their efforts on staying protected when making online purchases and always use a credit card, not a debit card. That’s a good thing to remember during the holiday shopping season.
Related articles: Protecting credit cards from online data breaches, Major banks in US hacked, Why the US is behind in credit card technology, Match on card security solution, Steps to take after card is stolen