Brian Krebs has a great piece over at his Krebs on Security blog about “…Why Credit Card Fraud is Still a Thing.” The answer is can be summed up is just a few words. Because the United States lags behind the adoption of security standards the rest of the world has long since adopted.
The article is an analysis of the recent paper issued by Maxwell Aliapoulios, Cameron Ballard, Rasika Bhalerao, Tobias Lauinger, and Damon McCoyover at New York University that delves into the seedy underground of dark web data markets. Based on the data analyzed, the researchers found that
Around 97% of the inventory was stolen magnetic stripe data, commonly used to produce counterfeit cards for in-person payments.
The authors then go further to state
Even multiple years into the U.S. EMV chip deployment, the supply of stolen magnetic stripe data continued to increase sharply.
This suggests that in the US, there are still far too many merchants either not requiring the use of chip and PIN or simply have not bothered to implement the capability to use it at all.
As the paper goes on, it is clear that the buyers value magnetic stripe data significantly more so long as the data is fresh. However, after the first six weeks of the data being available, its value drops well below that of chip and PIN card data. In contrast, the chip and PIN card data does not fetch a premium early on as magnetic stripe data does, but retains a more consistent value for the long term. International account data are also valued more highly than US account data, especially from Spain, Germany, and France. This suggests that the illicit data buyers see issuing financial institutions in these countries as less likely to disable the cards in the short term than FIs in other countries.
Further on on the analysis, the crucial conclusion is reached about US card issuers by the authors:
From 2016 to 2018, however, the median remaining lifespan of non-EMV accounts increased by about 100 days; the non-EMV population was getting younger, whereas EMV accounts aged by the same amount. This suggests that new non-EMV cards continued to be issued after the liability shift.
Which then leads me to believe that there is a major issue with how the card networks, like VISA, MasterCard, and others have structured their penalties for non-compliance. there have been too many exemptions and extensions for merchants that don’t need to comply with the EMV mandates. This then disincentivizes financial institutions to disallow fall back to mag stripe for transactions. This then makes more mag stripe data available via skimmers, where if people were using chip and PIN they would not have been compromised.
It’s a vicious cycle and we need to put an end to it. The industry needs to enforce compliance across all merchant categories, and financial institutions need to disable fallback to mag stripe. If this doesn’t happen soon, there is no end in sight for these types of data black markets.
If you want to read the article you can download a copy here.