Cracking the Uncrackable: Cybercriminals Deploy EMV-Bypass Cloning

July 30, 2020

Key Findings

  • New research by Cyber R&D Lab detailed a method of bypassing EMV technology to monetize supposedly secure cards. This method, EMV-Bypass Cloning, leverages information from one technology (EMV chips) and converts it into another less-secure technology (magstripe), which allows fraudsters to rely on their familiar cloning techniques.
  • To test this theory, they chose 11 cards from 10 banks from US, UK, and EU issuer countries. The researchers harvested data from four of the cards, created cloned magstripe cards with this data, and successfully placed transactions.
  • Gemini data indicates that this technique is already in use among the cybercriminal underground, as seen in the respective breaches of  Key Food Stores Co-Operative Inc. and Mega Package Store exposing over 720,000 compromised cards. EMV technology may have changed the underground market for CP records, but EMV-Bypass Cloning has opened the door for cybercriminals to sidestep the central security features of EMV chips and channel a new source of CP cards back into the underground CP market.
  • EMV-Bypass Cloning is dangerously effective, but through policy review and higher verification standards, card providers and financial institutions can close the security gaps that this method exploits and restore the security integrity of EMV chips.

Background

The invention of the EMV chip was one of the most significant developments in secure payment card technology. While payment cards had previously relied on the magnetic stripe (magstripe) to store information, fraudsters had been cracking this technology and cloning victims’ cards for years. To prevent fraudsters from placing illicit purchases with cloned payment cards, EMV chips encrypt the payment card data and the CVV (called iCVV for EMV-enabled cards). A new encryption key (also called a token or cryptogram) is generated upon each purchase for Card Present (CP) transactions. This token is generated by the interaction between the EMV chip and the card reader and applies only to that single transaction. Since the token cannot be repeated for an additional transaction, stealing it does not allow cybercriminals to place fraudulent transactions with a cloned EMV-enabled card. There is currently no compelling evidence that any cybercriminals have discovered a method of cloning this technology. EMV chips transformed the underground payment card economy, shifting most illicit markets towards Card Not Present (CNP) records; merchant compliance with regulations mandating EMV chip transactions correlate strongly with the presence of CP fraud in any given country.

However, new research indicates that there are other ways to bypass EMV technology and monetize these supposedly secure cards. An in-depth report by Cyber R&D Lab detailed a method of acquiring enough data through compromised EMV transactions to clone a payment card. This method leverages information from one technology (EMV chips) and converts it into another less-secure technology (magstripe), which allows fraudsters to rely on their familiar cloning techniques. Gemini will refer to this technique as EMV-Bypass Cloning.

In-Depth Analysis

EMV-Bypass Cloning

Magstripes are particularly vulnerable because they do not encrypt the track 1 or track 2 data necessary to place a transaction. This lack of encryption made it easy for fraudsters to steal payment card data, and then equally easy to clone the card with this stolen data. EMV technology is more secure because it encrypts the payment card information stored on the chip during the transaction.

There are multiple ways for a cybercriminal to obtain the payment card data of EMV-enabled cards. The most popular method involves a “shimmer,” a physical device that a cybercriminal attaches to a point-of-sale (POS) terminal to collect payment data before passing it along to the POS terminal itself. This allows the fraudster to steal the card data while allowing the legitimate transaction to take place, which prevents the victim from realizing that their payment card information was compromised.

Image 1: Example of a shimmer that can be attached to a POS terminal to illicitly collect payment card data (source: Krebs on Security). 

According to Krebs on Security, the data collected by shimmers cannot be used to clone a chip-based card, although it can be used to clone a magstripe card. While the data that is typically stored on a card’s magstripe is replicated inside the chip on chip-enabled cards, the EMV chip also contains an additional security component not found on a magstripe. That security component is the iCVV number, which differs from the CVV that is located on the magnetic stripe.

However, this layer of security is rendered useless if a financial institution does not check for the proper CVV number during a swipe transaction. Because of this loophole, a cybercriminal can take data from an EMV-enabled card and translate it into magstripe data. That criminal can clone the victim card, creating a fraudulent magstripe card using EMV data. Thus, EMV-Bypass Cloning allows them to bypass the chip’s extra layers of security and revert to an older, more reliable method of fraud.

Fraudsters can use such a cloned card the same way they would use a card cloned from a compromised magstripe transaction. They cause the EMV transaction to fail through one of several ways (e.g., not fully inserting the card into the card reader; covering the EMV chip with tape or superglue; etc.), and then they accept the cashier’s offer to swipe the card instead.

From Theory to Practice

The viability of this technique depends upon a bank’s security posture. If a bank mandates that every card security code is verified upon each card transaction, the technique will fail. However, the Cyber R&D Lab researchers suspected that some banks do not verify the iCVV or CVV for all transactions, which would leave the card vulnerable to exploitation through the method detailed above. To test this theory, they used both an app and a physical card reader to record the card data. They chose 11 cards from 10 banks (including both Mastercard and Visa cards) from US, UK, and EU issuer countries to attempt their experiment.

The researchers used several different types of card readers to interface with all 11 cards, and were able to harvest data from four of them. With the data from these four cards, they created cloned magstripe cards and successfully placed transactions. These transactions would have failed if a simple check for data integrity occurred during payment. 

Cyber R&D Lab did not specify which bank/card issuer combinations were most vulnerable to this technique. The issues appear to be twofold: first, the card data could be harvested from four of the 11 cards, which implies a security shortfall from the card manufacturer or the issuer bank’s encoding process for the card data. Second, the banks did not verify that the correct CVV code (as opposed to the harvested and substituted iCVV code) was used in magstripe transactions.

This experiment validates the theory that EMV data can be converted into magstripe data and thus support fraudulent CP transactions. Lack of proper encryption or verification of data integrity appears to enable this technique. If dark web forums circulate EMV-Bypass Cloning guides, it may undermine EMV cards’ security and raise demand for them in the cybercriminal marketplaces, launching a new wave of cyberattacks on a type of transaction previously assumed to be safe.

In the Wild

Gemini data indicates that this technique is already in use among the cybercriminal underground. On January 16, 2020, Gemini identified a massive breach of Key Food Stores Co-Operative Inc., a supermarket chain cooperative with affiliates largely (but not exclusively) in the northeastern United States. Many of the supermarkets in this cooperative use point-of-sale (POS) terminals that support EMV transactions with distinct network security systems. The payment cards stolen during this breach were offered for sale in the dark web. Shortly after discovering this breach, several financial institutions confirmed that the cards compromised in this breach were all processed as EMV and did not rely on the magstripe as a fallback. Analysts had speculated that payment card data on the EMV chip was compromised and repurposed for cloned magstripe cards, and Cyber R&D Lab’s recent revelations provide further clarity into the likely attack vector.

Gemini additionally identified a breach of Mega Package Store, a US wine and liquor store based in the state of Georgia, on June 29, 2020. The stolen cards were also compromised during EMV-enabled transactions. The same attack vector would explain how the attackers managed to compromise and then monetize cards from EMV transactions. 

While Cyber R&D Lab demonstrated how EMV-Bypass Cloning can take place with physical access to targeted cards, and Krebs on Security shed further light onto shimmers as a means to steal card data, it is unlikely that the cybercriminals responsible for the Key Food Stores breach physically installed shimmers onto each store location’s POS terminals. Given the extreme impracticality of this tactic, they likely used a different technique to remotely breach POS systems to collect enough EMV data to perform EMV-Bypass Cloning. 

Image 2: Map of affected locations and the number of compromised cards from the Key Food Stores and Mega Package Stores breaches.

Gemini notified law enforcement of both breaches shortly after discovering them. Key Food Stores first announced the breach on March 2, and later released an updated statement on July 16 reporting that even its EMV transactions had been compromised. While the public statement claimed that “we believe only the card number and expiration date would have been found by the malware (but not the cardholder name or internal verification code),” Gemini has observed additional data exposed in the dark web that includes the iCVV, which can be substituted for a CVV in magstripe data to clone a card. This cloned card can place fraudulent transactions depending on the bank’s verification process, as referenced above. The malware, therefore, must have harvested magstripe-equivalent payment card data from EMV-enabled POS terminals. A similar strain likely also infected Mega Package Store. Proper iCVV verification from banks should thwart this technique. 

Image 3: The compromised grocery stores affiliated with Key Food Stores Co-Operative Inc. (per Key Food Stores’ public statement).

In the breaches of Key Food Stores and Mega Package Store, major supermarkets have lost over 720,000 compromised cards. Since not all card-issuer banks verify the magstripe data upon each swipe transaction to ensure that it was not stolen and translated from the EMV chip, some of these records are viable for EMV-Bypass Cloning. This is encouraging to cybercriminal buyers seeking to cash out these records, which in turn prompts hackers to continue targeting merchants that comply with EMV implementation standards. 

EMV technology may have changed the underground market for CP records, but EMV-Bypass Cloning has opened the door for cybercriminals to sidestep the central security features of EMV chips and channel a new source of CP cards back into the underground CP market. The compromised merchant locations from the Key Food Stores breach are listed in Appendix A, while the Mega Package Store data is in Appendix B.

While analysts have not found dark web chatter highlighting EMV-Bypass Cloning or malware capable of capturing such data from EMV-enabled POS devices, the Key Food Stores and Mega Package Store breaches came from two unrelated dark web sources. This indicates that the technique used to compromise this data is likely spreading across different criminal groups using advanced operational security (OPSEC). 

Conclusion

While EMV chips had proved impossible for cybercriminals to crack for many years, EMV-Bypass Cloning has undermined the security of the most reliable card technology on the market. Cybercriminals appear to have already used the technique in the wild to conduct breaches at scale and tap into a new source to feed the CP card dark web market. However, since EMV-Bypass Cloning merely leverages encryption and verification policies rather than compromises EMV technology itself, the solution lies in these same policies. 

The four cards vulnerable to this technique in Cyber R&D Lab’s experiment had no verification process checking that the data inputted as magstripe data actually originated as magstripe data rather than being translated from an EMV chip. A higher verification standard involving data checks would raise the threshold of access and undercut fraudulent card use. EMV-Bypass Cloning is dangerously effective, but through policy review and higher verification standards, card providers and financial institutions can close the security gaps that this method exploits and restore the security integrity of EMV chips.

Appendix A

Location State City Address Exposure Time Period
Almonte’s Food Dynasty NY Brooklyn 1525 86th Street 04/08/2019 – 01/24/2020
Almonte’s Key Food NY Brooklyn 5101 Avenue N 04/08/2019 – 01/24/2020
Antillana Superfood NY Bronx 1339 Jerome Avenue 01/08/2019 – 04/17/2020
Brooklyn Fare NY Brooklyn 200 Schermerhorn Street 04/09/2019 – 01/24/2020
Brooklyn Fare NY New York 666 Greenwich Street 03/07/2019 – 01/24/2020
Brooklyn Fare NY New York 431 W 37th Street 04/09/2019 – 01/24/2020
Columbus Foods NY New York 81 West 104th Street 03/08/2017 – 02/27/2020
Country Markets NY Eastchester 344 White Plains Road 03/31/2019 – 01/24/2020
Dumbo Market NY Brooklyn 66 Front Street 03/31/2019 – 01/24/2020
Food Fair NY Bronx 1065 E. 163rd Street 04/07/2019 – 01/24/2020
Food Fair NY Bronx 656 Castle Hill Avenue 03/31/2019 – 01/24/2020
Food Fair NY Spring Valley 175 E. Central Avenue 03/31/2019 – 01/24/2020
Food Fair NJ Newark 323 Mount Prospect Avenue 03/31/2019 – 01/24/2020
Food Fair NJ Paterson 956 Market Street 03/31/2019 – 01/24/2020
Food Universe NY Bronx 119 Einstein Loop 03/13/2019 – 01/24/2020
Food Universe NY Bronx 111 Dreiser Loop 03/13/2019 – 01/24/2020
Food Universe NY Bronx 2061 Bartow Avenue 03/19/2019 – 01/24/2020
Food Universe NY Bronx 3942 White Plains Road 01/27/2017 – 02/14/2020
Food Universe NY Bronx 148 East Burnside Avenue 01/27/2017 – 04/17/2020
Food Universe NY Bronx 82 W. Kingsbridge Road 10/18/2018 – 03/04/2020
Food Universe NY Bronx 2358 University Avenue 01/05/2019 – 04/02/2020
Food Universe NY Bronx 60 W. 183rd Street 12/19/2018 – 02/16/2020
Food Universe NY Bronx 1334 Louis Nine Boulevard 03/29/2019 – 01/24/2020
Food Universe NY Brooklyn 1038 Rutland Road 01/27/2017 – 02/13/2020
Food Universe NY Brooklyn 405 Remsen Avenue 01/26/2017 – 03/03/2020
Food Universe NY Brooklyn 243 Schenectady Avenue 03/12/2019 – 01/24/2020
Food Universe NY Brooklyn 4118-22 Third Avenue 01/04/2019 – 02/14/2020
Food Universe NY Brooklyn 416 Crescent Street 03/19/2019 – 01/24/2020
Food Universe NY Far Rockaway 32-11 Beach Channel Drive 03/13/2019 – 01/24/2020
Food Universe NY Long Island City 34-14 Steinway Street 04/07/2019 – 01/24/2020
Food Universe NY New York 538 W 138th Street 03/12/2019 – 01/24/2020
Food Universe NY New York 70-72 Nagle Avenue 01/26/2017 – 02/25/2020
Food Universe NY New York 5069 Broadway 01/26/2017 – 03/03/2020
Food Universe NY Richmond Hill 117-01 Liberty Avenue 03/19/2019 – 01/24/2020
Food Universe NJ Paterson 498 East 30th Street 04/08/2019 – 01/24/2020
Gala Foods NY Brentwood 725 Commack Road 04/07/2019 – 11/01/2019
Gala Foods NY Brentwood 1925 Brentwood Road 03/30/2019 – 01/24/2020
Gala Foods NY Freeport 111 W. Merrick Road 03/30/2019 – 01/24/2020
Gala Foods CT Bridgeport 1050 East Main Street 04/07/2019 – 01/24/2020
Gala Foods CT Bridgeport 1457 Fairfield Avenue 04/07/2019 – 01/23/2020
Gala Foods MA Worcester 664 Main Street 04/07/2019 – 01/24/2020
GalaFresh Farms NY Bay Shore 1819 Fifth Avenue 03/28/2019 – 01/24/2020
GalaFresh Farms NY Brooklyn 492 St. Marks Place 04/25/2017 – 01/26/2020
GalaFresh Farms NY Riverhead 795 Old Country Road 04/08/2019 – 01/24/2020
Gitto Farmer’s Market NY Brooklyn 38 Brooklyn Terminal Market 04/09/2019 – 02/14/2020
Howard Avenue Market NY Brooklyn 8 Howard Avenue 01/12/2019 – 03/10/2020
Jumbo Market NY Bronx 1383 Nelson Avenue 01/05/2019 – 02/14/2020
Key Food NY Brooklyn 6620 Avenue U 03/06/2017 – 03/18/2020
Key Food NY Brooklyn 1610 Cortelyou Road 03/19/2019 – 01/24/2020
Key Food NY Jackson Heights 86-02 Northern Boulevard 03/13/2019 – 01/24/2020
Key Food NY Jackson Heights 3754 90th Street 04/07/2019 – 01/24/2020
Key Food NY Jamaica 166-02 Baisley Boulevard 05/29/2019 – 11/01/2019
Key Food NY Rock Hill 214 Rock Hill Drive 04/07/2019 – 01/24/2020
Key Food NY Spring Valley 289 North Main Street 03/19/2019 – 01/24/2020
Key Food NY Valley Stream 1805 N Central Avenue 03/19/2019 – 01/24/2020
Key Food NY Woodside 61-10 Queens Boulevard 01/26/2017 – 03/05/2020
Key Food CT Waterbury 286 Fairfield Avenue 05/14/2019 – 01/24/2020
Key Food FL Naples 2668 Tamiami Trail E. 04/30/2019 – 01/24/2020
Latino’s Supermarket NJ West New York 6418 Hudson Avenue 01/27/2017 – 02/14/2020
Marketplace NY Brooklyn 617 Fifth Avenue 03/08/2017 – 04/22/2020
Neighbors Foodmarket FL Sunrise 6041 W Sunrise Blvd. 04/13/2019 – 01/24/2020
Ozzie’s Fresh Market by Food Universe NY Brooklyn 639 Grand Street 04/06/2019 – 01/24/2020
Price Choice Foodmarket NY Ridgewood 64-01 Fresh Pond Road 02/17/2017 – 02/14/2020
The Food Emporium NY Brooklyn 8102 3rd Avenue 03/28/2019 – 11/01/2019
Top Value Supermarket FL Miami 1490 NW 3rd Avenue, Suite 101 04/08/2019 – 01/24/2020
Tropical Supermarket NJ Dunellen 446 North Avenue 01/29/2017 – 03/17/2020
Tropical Supermarket NJ North Brunswick 959 Livingston Avenue 01/26/2017 – 04/13/2020
Tropical Supermarket NJ Perth Amboy 442 Smith Street 01/19/2017 – 02/14/2020
Tropical Supermarket NJ Somerset 720 Hamilton Street 01/27/2017 – 03/17/2020
Tropical Supermarket NJ South River 62 Main Street 01/26/2017 – 02/13/2020
Tropical Supermarket NJ Union City 2400 Central Avenue 01/26/2017 – 04/17/2020
Tropical Supermarket NJ Union City 1208 New York Avenue 01/27/2017 – 03/03/2020
Vitelio’s Marketplace NY Kew Gardens 116-15 Metropolitan Avenue 01/23/2017 – 02/13/2020
Waverly Gourmet Market NY Brooklyn 367 Waverly Avenue 04/09/2019 – 01/24/2020

Appendix B

Location State City Address Exposure Time Period
Mega Package Store GA Suwanee 2820 Lawrenceville-Suwanee Rd 03/2020 – 06/2020
         

Gemini Advisory Mission Statement

Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.

New research indicates that EMV chips can be bypassed to fraudulent clone stolen credit and debit cards. The breaches of Key Food Stores and Mega Package Store demonstrate that EMV-Bypass Cloning is already in use in the wild.

%d bloggers like this: