4

I'm trying to wrap my head around what I view as EMV chip card security loopholes.

Here's what I'm told about EMV. If a transaction is being recorded maliciously by a third party, they will get your account number, but:

  1. they will miss info required to create a magnetic stripe card
  2. they won't obtain the CVV [or the iCVV replacing the CVV] required to make online purchases

My questions: 1. how will any info be missed? what's stopping a mag stripe card from being created? & 2. if that's true, how isn't card-not-present fraud largely being prevented by protecting/withholding the CVV? Why all this talk about how online channels will see an uptick in fraud?

Thanks!

Questions provoked by: http://nicolas.riousset.com/how-does-emv-encrypt-contactless-transactions/ & http://www.firstdata.com/downloads/thought-leadership/EMV-Encrypt-Tokenization-WP.PDF

Zach Nichols
  • 41
  • 1

2 Answers2

2

1: Since EMV uses dynamic CVVs, a CVV of a recorded transaction is useless, since its spent. Thus they lack the complete info to create a (functioning) magnetic stripe card. However, doing a fake transaction might give a working magstripe card. But that magstripe card will only work a single time, and not work after the cardholder does any legit transaction, and then the bank will immediately detect the out-of-order iCVVs and thus block the card.

Also the frauster needs to be able to predict certain random numbers, which in some cases might be predictable due to terminals lacking good RNGs.

2: Different CVVs are used for different purposes, eg one CVV for CNP transactions, one CVV for magstripe transactions, one dynamic CVV using keyA for Contact chip transactions, Another dynamic CVV using keyB for RFID transactions. This allows the bank to differentiate by different transaction types.

All POS transactions are recorded differently from all online transactions, HOWEVER: Some webstores process their transactions as POS transactions. That causes the system to accept the transaction anyways.

Some retailers also do not require CVV, sometimes this is retailers that do not put a authorization hold on the account when first setting up a stored card to account, and since its prohibited to store CVV in ANY WAY, they don't ask for it since they have no means to verify it without charging the card. They allow you to set up the stored card. Most reputable companies instead ask for CVV when storing the card, and then charge like 1$ to the card to check if the card does actually work and then adds this amount to your account on-site. This does however put off some customers.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • Thanks Sebastian! This helps a lot. Regarding #2: the CVV for CNP transactions is the one included on the back of the card, correct? Also, if stores have no way of verifying the CVV, how are incorrectly inputted CVVs detected by these sites when paying by card? – Zach Nichols Nov 20 '15 at 18:36
  • As I said, you can verify CVV, but not without charging the card (eg do a authorization hold). Eg, if you want to check if the CVV is correctly input, you have to charge the card, normally with a amount like $1. Most companies that allow you to set up a recurring billing, will charge the card with a small amount just for the purpose of checking if the card is valid. After that, they have CVV fraud protection even for non-CVV transactions on same card since they can prove CVV was verified during storing of card. And yes, the CVV for CNP transactions is the one at the back. – sebastian nielsen Nov 23 '15 at 19:28
  • EMV does not use a dynamic CVV. It uses a complex protocol between card, terminal and card issuer. Maybe you are thinking about legacy contactless transactions which do indeed use a dynamic CVV. – lxgr Dec 08 '15 at 13:30
1

Why is a recorded EMV transaction not enough to create a magnetic stripe copy of the card?

The EMV static card data read by the terminal and transmitted to their processor contains, among other things, a field called Track 2 equivalent data. This could theoretically be written to a magnetic stripe.

However, issuers are free to use different values for the magnetic stripe and the equivalent data on the chip: They could, for example, vary the issuer discretionary data, which among other things contains the CVV/CVC.

Since the issuer also knows if an authorization request has been created by an EMV or a magnetic stripe terminal, they could then deny the transaction if, for example, the chip CVV shows up on a magnetic stripe transaction.

Additionally, if the card is used at an EMV-capable terminal, the issuer can also deny the transaction since the terminal should have never used the magnetic stripe in the first place.

Why should CNP fraud decrease because of EMV?

You are right by suspecting that the EMV transition does not really change for EMV fraud: The CVV2/CVC2 on the back of the card is neither included in the magnetic stripe data, nor stored on the chip.

However, expectations seem to be that once EMV is widely used, credit card fraud will move from in-person fraud at physical merchants (using skimmed card data) to online merchants.

lxgr
  • 4,094
  • 3
  • 28
  • 37