Researcher proves magstripe loophole can still create cloned cards from EMV and contactless cards for fraudulent transactions
A magnetic stripe card is a type of card capable of storing data by modifying the magnetism of tiny iron-based magnetic particles on a band of magnetic material on the card. The magnetic stripe, sometimes called swipe card or magstripe, is read by swiping past a magnetic reading head. Magnetic stripe cards are commonly used in credit cards, identity cards, and transportation tickets.
They may also contain an RFID tag, a transponder device, and/or a microchip mostly used for business premises access control or electronic payment. Well, this week a British security researcher has proved that the loophole that creates magstripe versions from EMV and contactless cards for making fraudulent transactions still exists.
In a whitepaper named “It Only Takes A Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem,” Leigh-Anne Galloway, Head of Commercial Security Research at Cyber R&D Lab, tested modern card technologies from 11 banks from the US, the UK, and the EU. Galloway discovered that four of the 11 banks still issued EMV cards that could be cloned into a weaker magstripe version that could be abused for fraudulent transactions.
According to the previous fix, this should not be possible, EMV cards were designed to be hard to clone, primarily due to the secure chip included with each one. However, Galloway’s whitepaper explains in a step-by-step guide on how to take data from an EMV card and create an older-generation magnetic stripe clone.
This technique of cloning a magstripe version from an EMV card is not new and has been documented as far back as 2007. Steven Murdoch, Associate Professor, and @royalsociety Research Fellow at University College London said, I demonstrated cloning from chip data to magstripe but the banks said that cards issued after 2008 would not be vulnerable and chip data would be “useless to the fraudster”.
The researcher has further justified why it is still possible in the Whitepaper, “First, the commonalities between magstripe and EMV standards for chip inserted and contactless mean that it’s possible to determine valid cardholder information from one technology and use it for another,” Galloway said.
“Secondly, magstripe is still a supported payment technology, likely because the adoption of chip-based cards has been slow in some geographic regions around the world.
“Third, although magstripe is a deprecated technology in many of the countries tested, cloned data is still effective because it is possible to cause the terminal and card to fallback to a magstripe swipe transaction,” the researcher added.
“Finally, card security codes, a critical point of card verification, are not checked at the time of the transaction by all card issuers.”
The card security code (cvv etc) should actually be unique to the method: chip/nfc/mag stripe. The main point is that issuers do not correctly validate transaction data as a result skimmers and fraud are still big business
Galloway said that while the whitepaper focused on EMV cards, contactless (NFC-based) cards can also be abused in the same way to create magstripe clones to be abused for fraudulent transactions. For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.