Cracking the Uncrackable: Cybercriminals Deploy EMV-Bypass Cloning

July 30, 2020

Key Findings

  • New research by Cyber R&D Lab detailed a method of bypassing EMV technology to monetize supposedly secure cards. This method, EMV-Bypass Cloning, leverages information from one technology (EMV chips) and converts it into another less-secure technology (magstripe), which allows fraudsters to rely on their familiar cloning techniques.
  • To test this theory, they chose 11 cards from 10 banks from US, UK, and EU issuer countries. The researchers harvested data from four of the cards, created cloned magstripe cards with this data, and successfully placed transactions.
  • Gemini data indicates that this technique is already in use among the cybercriminal underground, as seen in the respective breaches of  Key Food Stores Co-Operative Inc. and Mega Package Store exposing over 720,000 compromised cards. EMV technology may have changed the underground market for CP records, but EMV-Bypass Cloning has opened the door for cybercriminals to sidestep the central security features of EMV chips and channel a new source of CP cards back into the underground CP market.
  • EMV-Bypass Cloning is dangerously effective, but through policy review and higher verification standards, card providers and financial institutions can close the security gaps that this method exploits and restore the security integrity of EMV chips.

Background

The invention of the EMV chip was one of the most significant developments in secure payment card technology. While payment cards had previously relied on the magnetic stripe (magstripe) to store information, fraudsters had been cracking this technology and cloning victims’ cards for years. To prevent fraudsters from placing illicit purchases with cloned payment cards, EMV chips encrypt the payment card data and the CVV (called iCVV for EMV-enabled cards). A new encryption key (also called a token or cryptogram) is generated upon each purchase for Card Present (CP) transactions. This token is generated by the interaction between the EMV chip and the card reader and applies only to that single transaction. Since the token cannot be repeated for an additional transaction, stealing it does not allow cybercriminals to place fraudulent transactions with a cloned EMV-enabled card. There is currently no compelling evidence that any cybercriminals have discovered a method of cloning this technology. EMV chips transformed the underground payment card economy, shifting most illicit markets towards Card Not Present (CNP) records; merchant compliance with regulations mandating EMV chip transactions correlate strongly with the presence of CP fraud in any given country.

However, new research indicates that there are other ways to bypass EMV technology and monetize these supposedly secure cards. An in-depth report by Cyber R&D Lab detailed a method of acquiring enough data through compromised EMV transactions to clone a payment card. This method leverages information from one technology (EMV chips) and converts it into another less-secure technology (magstripe), which allows fraudsters to rely on their familiar cloning techniques. Gemini will refer to this technique as EMV-Bypass Cloning.

In-Depth Analysis

EMV-Bypass Cloning

Magstripes are particularly vulnerable because they do not encrypt the track 1 or track 2 data necessary to place a transaction. This lack of encryption made it easy for fraudsters to steal payment card data, and then equally easy to clone the card with this stolen data. EMV technology is more secure because it encrypts the payment card information stored on the chip during the transaction.

There are multiple ways for a cybercriminal to obtain the payment card data of EMV-enabled cards. The most popular method involves a “shimmer,” a physical device that a cybercriminal attaches to a point-of-sale (POS) terminal to collect payment data before passing it along to the POS terminal itself. This allows the fraudster to steal the card data while allowing the legitimate transaction to take place, which prevents the victim from realizing that their payment card information was compromised.

Image 1: Example of a shimmer that can be attached to a POS terminal to illicitly collect payment card data (source: Krebs on Security). 

According to Krebs on Security, the data collected by shimmers cannot be used to clone a chip-based card, although it can be used to clone a magstripe card. While the data that is typically stored on a card’s magstripe is replicated inside the chip on chip-enabled cards, the EMV chip also contains an additional security component not found on a magstripe. That security component is the iCVV number, which differs from the CVV that is located on the magnetic stripe.

However, this layer of security is rendered useless if a financial institution does not check for the proper CVV number during a swipe transaction. Because of this loophole, a cybercriminal can take data from an EMV-enabled card and translate it into magstripe data. That criminal can clone the victim card, creating a fraudulent magstripe card using EMV data. Thus, EMV-Bypass Cloning allows them to bypass the chip’s extra layers of security and revert to an older, more reliable method of fraud.

Fraudsters can use such a cloned card the same way they would use a card cloned from a compromised magstripe transaction. They cause the EMV transaction to fail through one of several ways (e.g., not fully inserting the card into the card reader; covering the EMV chip with tape or superglue; etc.), and then they accept the cashier’s offer to swipe the card instead.

From Theory to Practice

The viability of this technique depends upon a bank’s security posture. If a bank mandates that every card security code is verified upon each card transaction, the technique will fail. However, the Cyber R&D Lab researchers suspected that some banks do not verify the iCVV or CVV for all transactions, which would leave the card vulnerable to exploitation through the method detailed above. To test this theory, they used both an app and a physical card reader to record the card data. They chose 11 cards from 10 banks (including both Mastercard and Visa cards) from US, UK, and EU issuer countries to attempt their experiment.

The researchers used several different types of card readers to interface with all 11 cards, and were able to harvest data from four of them. With the data from these four cards, they created cloned magstripe cards and successfully placed transactions. These transactions would have failed if a simple check for data integrity occurred during payment. 

Cyber R&D Lab did not specify which bank/card issuer combinations were most vulnerable to this technique. The issues appear to be twofold: first, the card data could be harvested from four of the 11 cards, which implies a security shortfall from the card manufacturer or the issuer bank’s encoding process for the card data. Second, the banks did not verify that the correct CVV code (as opposed to the harvested and substituted iCVV code) was used in magstripe transactions.

This experiment validates the theory that EMV data can be converted into magstripe data and thus support fraudulent CP transactions. Lack of proper encryption or verification of data integrity appears to enable this technique. If dark web forums circulate EMV-Bypass Cloning guides, it may undermine EMV cards’ security and raise demand for them in the cybercriminal marketplaces, launching a new wave of cyberattacks on a type of transaction previously assumed to be safe.

In the Wild

Gemini data indicates that this technique is already in use among the cybercriminal underground. On January 16, 2020, Gemini identified a massive breach of Key Food Stores Co-Operative Inc., a supermarket chain cooperative with affiliates largely (but not exclusively) in the northeastern United States. Many of the supermarkets in this cooperative use point-of-sale (POS) terminals that support EMV transactions with distinct network security systems. The payment cards stolen during this breach were offered for sale in the dark web. Shortly after discovering this breach, several financial institutions confirmed that the cards compromised in this breach were all processed as EMV and did not rely on the magstripe as a fallback. Analysts had speculated that payment card data on the EMV chip was compromised and repurposed for cloned magstripe cards, and Cyber R&D Lab’s recent revelations provide further clarity into the likely attack vector.

Gemini additionally identified a breach of Mega Package Store, a US wine and liquor store based in the state of Georgia, on June 29, 2020. The stolen cards were also compromised during EMV-enabled transactions. The same attack vector would explain how the attackers managed to compromise and then monetize cards from EMV transactions. 

While Cyber R&D Lab demonstrated how EMV-Bypass Cloning can take place with physical access to targeted cards, and Krebs on Security shed further light onto shimmers as a means to steal card data, it is unlikely that the cybercriminals responsible for the Key Food Stores breach physically installed shimmers onto each store location’s POS terminals. Given the extreme impracticality of this tactic, they likely used a different technique to remotely breach POS systems to collect enough EMV data to perform EMV-Bypass Cloning. 

Image 2: Map of affected locations and the number of compromised cards from the Key Food Stores and Mega Package Stores breaches.

Gemini notified law enforcement of both breaches shortly after discovering them. Key Food Stores first announced the breach on March 2, and later released an updated statement on July 16 reporting that even its EMV transactions had been compromised. While the public statement claimed that “we believe only the card number and expiration date would have been found by the malware (but not the cardholder name or internal verification code),” Gemini has observed additional data exposed in the dark web that includes the iCVV, which can be substituted for a CVV in magstripe data to clone a card. This cloned card can place fraudulent transactions depending on the bank’s verification process, as referenced above. The malware, therefore, must have harvested magstripe-equivalent payment card data from EMV-enabled POS terminals. A similar strain likely also infected Mega Package Store. Proper iCVV verification from banks should thwart this technique. 

Image 3: The compromised grocery stores affiliated with Key Food Stores Co-Operative Inc. (per Key Food Stores’ public statement).

In the breaches of Key Food Stores and Mega Package Store, major supermarkets have lost over 720,000 compromised cards. Since not all card-issuer banks verify the magstripe data upon each swipe transaction to ensure that it was not stolen and translated from the EMV chip, some of these records are viable for EMV-Bypass Cloning. This is encouraging to cybercriminal buyers seeking to cash out these records, which in turn prompts hackers to continue targeting merchants that comply with EMV implementation standards. 

EMV technology may have changed the underground market for CP records, but EMV-Bypass Cloning has opened the door for cybercriminals to sidestep the central security features of EMV chips and channel a new source of CP cards back into the underground CP market. The compromised merchant locations from the Key Food Stores breach are listed in Appendix A, while the Mega Package Store data is in Appendix B.

While analysts have not found dark web chatter highlighting EMV-Bypass Cloning or malware capable of capturing such data from EMV-enabled POS devices, the Key Food Stores and Mega Package Store breaches came from two unrelated dark web sources. This indicates that the technique used to compromise this data is likely spreading across different criminal groups using advanced operational security (OPSEC). 

Conclusion

While EMV chips had proved impossible for cybercriminals to crack for many years, EMV-Bypass Cloning has undermined the security of the most reliable card technology on the market. Cybercriminals appear to have already used the technique in the wild to conduct breaches at scale and tap into a new source to feed the CP card dark web market. However, since EMV-Bypass Cloning merely leverages encryption and verification policies rather than compromises EMV technology itself, the solution lies in these same policies. 

The four cards vulnerable to this technique in Cyber R&D Lab’s experiment had no verification process checking that the data inputted as magstripe data actually originated as magstripe data rather than being translated from an EMV chip. A higher verification standard involving data checks would raise the threshold of access and undercut fraudulent card use. EMV-Bypass Cloning is dangerously effective, but through policy review and higher verification standards, card providers and financial institutions can close the security gaps that this method exploits and restore the security integrity of EMV chips.

Appendix A

LocationStateCityAddressExposure Time Period
Almonte’s Food DynastyNYBrooklyn1525 86th Street04/08/2019 – 01/24/2020
Almonte’s Key FoodNYBrooklyn5101 Avenue N04/08/2019 – 01/24/2020
Antillana SuperfoodNYBronx1339 Jerome Avenue01/08/2019 – 04/17/2020
Brooklyn FareNYBrooklyn200 Schermerhorn Street04/09/2019 – 01/24/2020
Brooklyn FareNYNew York666 Greenwich Street03/07/2019 – 01/24/2020
Brooklyn FareNYNew York431 W 37th Street04/09/2019 – 01/24/2020
Columbus FoodsNYNew York81 West 104th Street03/08/2017 – 02/27/2020
Country MarketsNYEastchester344 White Plains Road03/31/2019 – 01/24/2020
Dumbo MarketNYBrooklyn66 Front Street03/31/2019 – 01/24/2020
Food FairNYBronx1065 E. 163rd Street04/07/2019 – 01/24/2020
Food FairNYBronx656 Castle Hill Avenue03/31/2019 – 01/24/2020
Food FairNYSpring Valley175 E. Central Avenue03/31/2019 – 01/24/2020
Food FairNJNewark323 Mount Prospect Avenue03/31/2019 – 01/24/2020
Food FairNJPaterson956 Market Street03/31/2019 – 01/24/2020
Food UniverseNYBronx119 Einstein Loop03/13/2019 – 01/24/2020
Food UniverseNYBronx111 Dreiser Loop03/13/2019 – 01/24/2020
Food UniverseNYBronx2061 Bartow Avenue03/19/2019 – 01/24/2020
Food UniverseNYBronx3942 White Plains Road01/27/2017 – 02/14/2020
Food UniverseNYBronx148 East Burnside Avenue01/27/2017 – 04/17/2020
Food UniverseNYBronx82 W. Kingsbridge Road10/18/2018 – 03/04/2020
Food UniverseNYBronx2358 University Avenue01/05/2019 – 04/02/2020
Food UniverseNYBronx60 W. 183rd Street12/19/2018 – 02/16/2020
Food UniverseNYBronx1334 Louis Nine Boulevard03/29/2019 – 01/24/2020
Food UniverseNYBrooklyn1038 Rutland Road01/27/2017 – 02/13/2020
Food UniverseNYBrooklyn405 Remsen Avenue01/26/2017 – 03/03/2020
Food UniverseNYBrooklyn243 Schenectady Avenue03/12/2019 – 01/24/2020
Food UniverseNYBrooklyn4118-22 Third Avenue01/04/2019 – 02/14/2020
Food UniverseNYBrooklyn416 Crescent Street03/19/2019 – 01/24/2020
Food UniverseNYFar Rockaway32-11 Beach Channel Drive03/13/2019 – 01/24/2020
Food UniverseNYLong Island City34-14 Steinway Street04/07/2019 – 01/24/2020
Food UniverseNYNew York538 W 138th Street03/12/2019 – 01/24/2020
Food UniverseNYNew York70-72 Nagle Avenue01/26/2017 – 02/25/2020
Food UniverseNYNew York5069 Broadway01/26/2017 – 03/03/2020
Food UniverseNYRichmond Hill117-01 Liberty Avenue03/19/2019 – 01/24/2020
Food UniverseNJPaterson498 East 30th Street04/08/2019 – 01/24/2020
Gala FoodsNYBrentwood725 Commack Road04/07/2019 – 11/01/2019
Gala FoodsNYBrentwood1925 Brentwood Road03/30/2019 – 01/24/2020
Gala FoodsNYFreeport111 W. Merrick Road03/30/2019 – 01/24/2020
Gala FoodsCTBridgeport1050 East Main Street04/07/2019 – 01/24/2020
Gala FoodsCTBridgeport1457 Fairfield Avenue04/07/2019 – 01/23/2020
Gala FoodsMAWorcester664 Main Street04/07/2019 – 01/24/2020
GalaFresh FarmsNYBay Shore1819 Fifth Avenue03/28/2019 – 01/24/2020
GalaFresh FarmsNYBrooklyn492 St. Marks Place04/25/2017 – 01/26/2020
GalaFresh FarmsNYRiverhead795 Old Country Road04/08/2019 – 01/24/2020
Gitto Farmer’s MarketNYBrooklyn38 Brooklyn Terminal Market04/09/2019 – 02/14/2020
Howard Avenue MarketNYBrooklyn8 Howard Avenue01/12/2019 – 03/10/2020
Jumbo MarketNYBronx1383 Nelson Avenue01/05/2019 – 02/14/2020
Key FoodNYBrooklyn6620 Avenue U03/06/2017 – 03/18/2020
Key FoodNYBrooklyn1610 Cortelyou Road03/19/2019 – 01/24/2020
Key FoodNYJackson Heights86-02 Northern Boulevard03/13/2019 – 01/24/2020
Key FoodNYJackson Heights3754 90th Street04/07/2019 – 01/24/2020
Key FoodNYJamaica166-02 Baisley Boulevard05/29/2019 – 11/01/2019
Key FoodNYRock Hill214 Rock Hill Drive04/07/2019 – 01/24/2020
Key FoodNYSpring Valley289 North Main Street03/19/2019 – 01/24/2020
Key FoodNYValley Stream1805 N Central Avenue03/19/2019 – 01/24/2020
Key FoodNYWoodside61-10 Queens Boulevard01/26/2017 – 03/05/2020
Key FoodCTWaterbury286 Fairfield Avenue05/14/2019 – 01/24/2020
Key FoodFLNaples2668 Tamiami Trail E.04/30/2019 – 01/24/2020
Latino’s SupermarketNJWest New York6418 Hudson Avenue01/27/2017 – 02/14/2020
MarketplaceNYBrooklyn617 Fifth Avenue03/08/2017 – 04/22/2020
Neighbors FoodmarketFLSunrise6041 W Sunrise Blvd.04/13/2019 – 01/24/2020
Ozzie’s Fresh Market by Food UniverseNYBrooklyn639 Grand Street04/06/2019 – 01/24/2020
Price Choice FoodmarketNYRidgewood64-01 Fresh Pond Road02/17/2017 – 02/14/2020
The Food EmporiumNYBrooklyn8102 3rd Avenue03/28/2019 – 11/01/2019
Top Value SupermarketFLMiami1490 NW 3rd Avenue, Suite 10104/08/2019 – 01/24/2020
Tropical SupermarketNJDunellen446 North Avenue01/29/2017 – 03/17/2020
Tropical SupermarketNJNorth Brunswick959 Livingston Avenue01/26/2017 – 04/13/2020
Tropical SupermarketNJPerth Amboy442 Smith Street01/19/2017 – 02/14/2020
Tropical SupermarketNJSomerset720 Hamilton Street01/27/2017 – 03/17/2020
Tropical SupermarketNJSouth River62 Main Street01/26/2017 – 02/13/2020
Tropical SupermarketNJUnion City2400 Central Avenue01/26/2017 – 04/17/2020
Tropical SupermarketNJUnion City1208 New York Avenue01/27/2017 – 03/03/2020
Vitelio’s MarketplaceNYKew Gardens116-15 Metropolitan Avenue01/23/2017 – 02/13/2020
Waverly Gourmet MarketNYBrooklyn367 Waverly Avenue04/09/2019 – 01/24/2020

Appendix B

LocationStateCityAddressExposure Time Period
Mega Package StoreGASuwanee2820 Lawrenceville-Suwanee Rd03/2020 – 06/2020

Gemini Advisory Mission Statement

Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.

New research indicates that EMV chips can be bypassed to fraudulent clone stolen credit and debit cards. The breaches of Key Food Stores and Mega Package Store demonstrate that EMV-Bypass Cloning is already in use in the wild.

%d bloggers like this: