How easy is it for a company to breach itself?
July 3, 2018A chip error?
July 17, 2018It was perhaps inevitable but criminals have figured out a way to beat the EMV chips. The notice was put out in April by the Secret Service and highlighted by Brian Krebs on his blog about the tactics the criminals are using. It is quite scary indeed.
These criminals are intercepting mail coming from financial institutions with payment cards in them. Debit cards are of particular value. They have found a way to remove the chip by heating the glue that holds it on and then replacing the chip with an old one. The packages are then sealed and sent back on their way to their destination. If done correctly the business will never realize that the package or the cards have been tampered with.
The debit cards are then activated as they normally would be and used as they normally would. The criminals are not privy to the information that is needed to activate them which is why they must send them on rather than just keeping them. Since the chip is associated with the card when the card is activated the criminal is able to use the card for their own gain and only a review of the purchase statements would reveal any wrongdoing.
This kind of work is actually what the Secret Service was founded to perform. When they were founded in 1865 their initial charge was to stamp out and investigate counterfeit operations. At the end of the Civil War it was believed that more than one third of the currency in circulation was counterfeit and their mission was later expanded to encompass robbery and illegal gambling as well. The more famous charge of protecting the President of the United States and other government and world leaders did not come about for nearly half a century later following the assassination of William McKinley in 1901. Their mission has increased in recent years to also help fight identity theft and cyber crime.
The memo released by the Secret Service does not specify how they believe the criminals are intercepting the mail. It could be an inside job at the companies or an inside job at the Postal Service or with another delivery service. That we may not find out until the case is cracked and those responsible are brought to justice.
At the moment only major businesses seem to be the target since they offer a more lucrative payout but it is more than possible that this could expand to smaller businesses and even personal cards at some point so the public should be aware of this. The best thing that can be done is to inspect any card received and if anything looks out of the ordinary to report it and request a new one. Account monitoring is also encouraged since it is probable that the thief will start with a few small test purchases to make sure that the card is working.