How Chip-and-PIN is Shifting Cybercrime
Attackers are nothing if not creative, and when one path of entry is taken away, they will find another. We’ve seen this many times over the years, whether it’s with malware or vulnerabilities or something else, and the latest example is the reaction by cybercriminals to the move to chip-and-PIN (EMV) cards.
Chip-and-PIN cards differ from traditional credit and debit cards in a number of ways, but the most important one is the presence of a tiny chip embedded in each card. The chip essentially functions as a computer and when the card is inserted into the payment terminal, it performs a cryptographic operation that authenticates the card. The user then enters a PIN to authenticate himself. The system is meant to defeat the main types of card fraud, which rely on having physical possession of a stolen card and forging a signature.
These cards have been in use in Europe for several years, and retailers and card issuers in the United States began rolling them out last year. Not all retailers have payment terminals that can accept the new cards, but the rollout has been wide enough that it has caused attackers and cybercriminals to shift their tactics. Fraud rings have relied on stealing credit card numbers, printing them on blank cards, and then passing those cards to people who go and use them in stores. But that technique has been cut off in large part by the advent of chip-and-PIN cards, so these rings now have moved to other schemes, namely phone-based and online fraud.
New data released this week shows that the rate of phone fraud has increased nearly 50 percent since 2013. Call centers at banks, retailers, insurance companies, and other large targets see tens of millions of calls each year, most of which are legitimate, but a surprisingly high number of them are now fraudulent. One in every 1,700 calls to a call center is fraudulent in the U.S., and one in every 700 is fraudulent in the U.K., according to the 2016 Phone Fraud Report released Tuesday by Pindrop.
Looking at data compiled from 10 million calls in the last year, Pindrop Labs researchers estimated that targeted organizations are losing $0.65 per call. For companies with high call volumes, such as banks and retailers, those losses can add up very quickly. Cybercriminals often use the phone channel as a method for testing the validity of stolen card numbers, making small purchases to ensure that the cards haven’t been shut off yet. That tactic contributes to phone fraud.
“Also, due to the current rollout of EMV chip debit and credit cards in the US, it is harder for fraudsters to commit counterfeit card fraud at the point of sale. With this tactic out of play, criminals are switching to card-not-present (CNP) fraud attacks,” Pindrop Labs Director of Research David Dewey said.
Enterprises have spent the last decade upgrading their security defenses in virtually every aspect of their organizations. Better antimalware detection, more accurate data-loss prevention technology, better endpoint protection. But the phone channel has largely been ignored and attackers have taken notice. They realize that in most cases, the first and only line of defense in this channel is the person answering the phone. For experienced fraudsters, getting past a customer service agent is not a serious challenge. They often know the answers to knowledge-based authentication questions and have enough guile and experience to talk around something they might not know.
As security continues to improve, attackers will keep looking for soft spots in corporate defenses. For now, they’ve found a likely one in the phone channel.