What Is EMV Bypass Cloning & Should I Worry About It in 2024?
I used to believe EMV chips were secure. Then I learned about EMV bypass cloning, and my paranoia kicked in. After researching it further, I felt somewhat reassured.
Still, it’s something to be cautious about, as a business owner and a cardholder. I’ll explain what it is, how it works, and how you can protect yourself.
Let’s first refresh your memory on EMV cards.
Key Takeaways
- Hackers can clone an EMV chip’s data to a magnetic stripe card.
- These attacks are rare but still possible.
- EMV bypass cloning has been around since 2008.
- Opt for contactless payments to reduce the risk.
- Financial loss is a concern if you fall victim to EMV bypass cloning.
As a business owner, if a customer becomes a victim of EMV bypass cloning, you might face a chargeback. Prevent this by using chargeback alerts to resolve issues before they escalate.
We provide access to all chargeback alert services, making integration into your business simple.
What are EMV Cards?
EMV cards are credit, debit, or prepaid cards with microchips for secure transactions. They store data on chips, not magnetic stripes. EMV cards create unique codes for each transaction, protecting card numbers and iCVV numbers from transmission.
The iCVV (integrated Card Verification Value) is similar to the CVV number on the back of your card.
"EMV" stands for Europay, Visa, and Mastercard, the companies that made this standard.
These cards support various payment methods:
- Mobile
- Contactless
- Chip-and-signature
- Chip-and-PIN
As of today, 70.40% of all issued cards are EMV-enabled [1]. Over 93% of in-person card payments involve EMV cards [2].
These cards are more secure than traditional swiped cards due to changing cryptograms for each transaction. They aren’t foolproof, though.
I’ll talk about it in a bit.
Let’s first see why these cards were introduced.
Summary: More secure cards because they don’t store card numbers.
Why EMV Cards Were Introduced
Visa and friends introduced EMV cards to:
- Liability shift: Shift liability for counterfeit fraud to merchants not using EMV.
- Fraud reduction: Reduce fraud by generating unique codes for each transaction.
- Interoperability: Enable cross-border interoperability.
Did it work?
Yep. Fraud from counterfeit cards dropped by over 87% [3]. This is in part why third-party fraud now accounts for only 1% of chargebacks.
But EMV cards are part of an ongoing battle. Criminals continue finding ways to bypass these protections.
Here’s an example.
Can Someone Clone My Card with a Chip?
EMV chips can't be cloned, but fraudsters can exploit them. They copy chip data to magnetic stripe cards, creating functional clones. This vulnerability exists despite EMV's enhanced security features.
EMV cards still have magnetic stripes as a backup in case a terminal can’t read the chip. This provides a vulnerability, as hackers can transfer chip data to the stripe, making it easier to clone.
Hackers can then use the cloned stripe card to make purchases, often claiming that their issuer didn’t provide an EMV-enabled card.
Since not all issuers offer EMV cards yet, this excuse works.
Okay. How are they doing this?
Summary: Hackers can exploit EMV cards.
How Are Hackers Bypassing EMV Cards?
Hackers bypass EMV cards using shimmers to steal data. They create cloned magnetic stripe cards, modify terminals, or use software to bypass chip security. These methods enable fraudulent transactions without the original EMV chip.
Once they have your data, hackers can use the cloned card to make purchases, which directly affects businesses. Then they’ll go on a shopping spree with the cardholder’s information.
Alright, what’s a shimmer?
A shimmer is a slim device placed inside a card terminal. It reads both the EMV chip data and magnetic stripe information. Shimmers operate similarly to skimmers but target chip-enabled cards.
Source: Coquitlam RCMP
Here’s a video that explains what shimmers look like and how they work.
Are there other devices that hackers could use to copy data?
You may have heard of the Flipper Zero.
Source: Flipper
It’s a multi-tool that folks could use to hack stuff. And you may be wondering if this can be used for EMV bypass cloning.
EMV bypass cloning is impossible with such devices because card data is encrypted. To clone a chip, a hacker would need access to a private key from the bank.
Summary: Hackers use a shimmer to transfer EMV data to magnetic stripe clone cards.
When Did EMV Bypass Cloning Start?
EMV-Bypass Cloning was first theoretically described in 2008. Initially dismissed, this technique gained attention when exploited in the wild more recently.
Wait:
Why haven't banks addressed this issue?
Banks assumed magnetic stripes would eventually be phased out, rendering cloning attempts ineffective. 16 years later, 70.40% of cards are EMV-enabled, and they still have magnetic stripes.
Is this negligence? That’s not for me to say.
Banks did address this. Kind of. Banks must also verifi the card’s iCVV before approving a payment. This was supposed to address EMV bypassing, since it’s different from the CVV on a magnetic stripe.
Most banks followed this rule. Meaning there were a fair number of cases where there were still counterfeit cases.
With all these security measures in place, should banks and customers worry about EMV bypassing?
Should I Worry About EMV Bypass Cloning?
Yes. Customers and businesses should stay cautious of EMV-bypass cloning. Your level of concern depends on your security measures.
For customers, EMV chips provide stronger security than magnetic stripes. However, some banks may not fully verify the iCVV during magnetic stripe fallback transactions. This gap lets cybercriminals clone cards.
For businesses, you’ll need to read this next section.
How Does EMV Bypass Cloning Affect Businesses?
EMV bypass cloning affects businesses in the following ways:
- Increased chargeback risk: Victims will file fraudulent chargebacks.
- Liability: Businesses without EMV-compliant terminals could be liable for fraud.
- Fraud target: Non-EMV compliant businesses are prime targets for fraudsters.
- Eroded consumer trust: Awareness of compromised EMV cards may reduce consumer confidence.
- Higher fraud costs: Costs will rise due to investigations, refunds, and additional security measures.
The primary consequence of EMV bypass cloning is chargebacks. After fraud, customers will file true fraud chargebacks.
These have a low win rate (9%), compared to other disputes. Usually, your chances of winning are around 30%.
Chargeback fees range from $10 to $100 per dispute. This fee applies whether you win or lose the case. Fighting the dispute requires staff, which also adds costs.
If you fight the dispute, you must delegate staff toward this. That’ll cost some money.
And since you’ll likely lose the dispute, the chargeback will count toward your chargeback and fraud rates.
If your chargeback rate exceeds 0.65%, you may face fines or be flagged as high-risk by payment processors. Resulting in you being in a dispute monitoring program.
These come with fines up to $25,000 (or more), can result in you losing the ability to process a certain card, and can land you in a MATCH list. This blacklist prohibits you from being accepted into most payment processors for a certain amount of time.
Learn more about these monitoring programs in this guide.
Fraud rates. Whenever fraud happens, banks will submit TC40 data to issuers. The issuers will keep track of your fraud rate to determine whether you’re high risk. If you have too much fraud, you’ll end up in a fraud monitoring program.
This is just like the dispute monitoring programs. Though, these could come with more severe consequences.
Aside from chargebacks, you’ll need to deal with the costs that come with fraud. For instance, you might need to pay for an investigation.
Did I scare you? Good. Let’s explore ways to prevent this.
Let’s see if there are ways to prevent it.
Can You Prevent EMV Bypass Cloning?
Here are ways businesses can reduce EMV bypass cloning risks:
- Verify CVV numbers: Always validate card CVVs.
- Encourage contactless payments: These offer extra layers of security.
- Install anti-tampering devices: Tamper-resistant equipment prevents unauthorized access.
- Upgrade terminals: Use devices with advanced encryption.
- Monitor transactions: Detect suspicious activity early with real-time monitoring.
- Enforce chip-only transactions: Disable magnetic stripe processing.
- Train employees: Teach staff to detect tampering and suspicious behavior.
- Audit systems regularly: Check compliance and security measures.
As a business, verifying CVV numbers is your best defense. Cloned cards can’t match a CVV.
Encouraging contactless payments, such as Apple Pay, adds another layer of security. No card insertion means no shimmer can steal data.
Anti-tampering devices also help secure your terminals.
You’ll also want to monitor your employees. Sometimes, they install shimmers themselves. [4].
Otherwise, keep your terminals up-to-date. It’s all you can do to prevent this from happening.
Protecting Customers from EMV Bypass Cloning
Here’s how you’d prevent EMV bypass cloning:
- Monitor bank statements: Regularly review your account for unauthorized transactions.
- Enable transaction alerts: Get real-time alerts for any unusual activity.
- Shield PIN entry: Prevent others from viewing your PIN at terminals.
- Use the chip over magnetic stripe: Always opt for chip transactions.
- Avoid unfamiliar ATMs: Use trusted, secure machines.
This vulnerability affects both customers and businesses. If a cardholder’s data is stolen, their bank account could be drained. This leads to chargebacks (rightly so). Hurting the business's reputation and incurring fees.
Let’s see what this attack would look like in the real world.
Real-World Examples of EMV Bypass Cloning
In 2020, a major supermarket chain called Key Food Stores experienced a data breach.
Hackers bypassed EMV security at the chain’s POS terminals. They likely used malware to steal EMV chip data, including the iCVV. With this data, criminals created cloned cards, despite the original transactions using EMV technology.
Banks that didn’t properly verify iCVV allowed these cloned cards to be used. The stolen data was sold on the dark web, triggering further fraud.
This is a bad summary of the example I found. Here’s a better explanation.
Is there any way to recognize these attempts if you’re a customer?
How to Recognize EMV Cloning Attempts
As a customer, detecting EMV cloning is difficult since shimmers blend into card readers.
The best you can do is adopt my strategy for whenever I use a card terminal:
- Inspect the card reader: Check for broken security seals or loose parts.
- You can also try wiggling the card reader and keypad to see if it's securely fastened.
- Test the keypad: Misaligned or hard-to-press keys may indicate tampering.
- Examine the payment slot: Compare it with other machines to spot differences.
- Look for signs of tampering: Scratches, mismatched colors, or graphics can indicate fraud.
If you suspect fraud, contact the business first.
If they’re unresponsive, file a chargeback with your bank.
We explain how to do this in a separate piece. In short, it involves calling your bank or card company.
That’s all, folks.
Wrapping Up
EMV bypass cloning can cause financial loss for cardholders and businesses. Although it’s rare, it still happens. The best defense is to adopt contactless payments and implement security measures.
For business owners, chargeback preparation is key. Chargeback alerts can help, but you’ll need management software or services like Verifi or Ethoca to make it easy.
With us, it’s simple. Try our chargeback alerts.
Sources
- [1] Deployment Statistics. EMVco. 2024.
- [2] Percentage of card-present payments worldwide using EMV. NFCW. 8/15/2023.
- [3] Chip Cards Reduce Counterfeit Fraud. PYMNTS. 9/04/2019.
- [4] Card skimmer found at second Bend 7-Eleven. KTVZ. 2/20/2024.