Bank Card Fraud, Two Ways to Get Burned

Many ATMs and point of sale terminals fail to properly generate random numbers required by the Europay, MasterCard, and Visa EMV protocol to securely authenticate transaction requests, according to a team of researchers from the University of Cambridge. The use of defective random number generation algorithms make those payment devices vulnerable to attacks that allow criminals to send fraudulent transaction requests from rogue chip enabled credit cards, the researchers said. The EMV standard requires the use of payment cards with integrated circuits capable of performing specific cryptographic functions.

These cards are commonly known as chip and PIN cards, EMV cards or integrated circuit cards. Not common so far in the U.S., EMV compliant devices must generate unpredictable numbers for every transaction request so card issuers can verify the freshness of these requests. Older versions of the EMV specification did not provide clear instructions for how these random numbers should be generated and only required that payment devices generate four different consecutive UNs to be compliant. The researchers found weak UN generation in devices that were easy to predict and thus take advantage of for fraudulent transactions.

In another fraud, skimming threatens debit card users, while fraud strikes 1 percent of credit card transactions. Twice as many credit card fraud cases involve phone or online transactions than retail sales, according to new data from FICO. However, researchers found that sophisticated counterfeit rings have raised the stakes for merchants over the most recent 20 month survey period. Researchers reported an increase in skimming.

ATMs, grocery stores, and automated fuel pumps topped the list of places where criminals use stolen or cloned debit cards. According to a company spokesman, fraud rings usually test stolen cards with smaller online transactions. In a statement to reporters, he described online tests as a relatively safe way for thieves to learn whether victims notice extra purchases on their monthly statements. The theory rings true with researchers at J.D. Power and Associates, where the results of an annual customer satisfaction survey showed that nearly a quarter of reported credit card problems involved fraudulent transactions.