No technology is fail-safe. Just ask PayPal President David Marcus.
Marcus said hackers probably cloned his credit card during his recent trip to the United Kingdom, even though the card was outfitted with chip technology that makes it harder to replicate plastic.
He explained in a series of tweets Monday that there were a “ton of fraudulent transactions” on his card. Marcus suspects his card was compromised at a hotel through a skimmer — a device thieves hide inside card readers to capture credit and debit information when people swipe cards.
“They cloned [the card] and went on a shopping spree,” Marcus wrote.
The admission is unnerving because the chip, known as EMV (short for Europay, MasterCard and Visa), is the same technology the credit card industry is offering up as a solution to reduce fraud in the U.S. payment system.
Security experts have pointed out that chip cards are susceptible to online fraud, but the high-tech plastic is suppose to be all but impossible to counterfeit. EMV-enabled cards, which are widely used in Europe, communicate data to payment terminals or ATMs that are supposed to generate random numbers to securely authenticate transactions.
But researchers from the University of Cambridge say they discovered a flaw in the system in 2012. They noticed that some payment terminals in the United Kindgom produced numbers with predictable patterns that were easily exploited by thieves. Once hackers could predict the “random” numbers, they could record the data and play back the information later — tactics known as “pre-play” attacks.
The Cambridge team collected data from more than 1,000 transactions at more than 20 ATMs and point-of-sale terminals. They began researching vulnerabilities in the system after learning about customers in the United Kingdom whose banks refused to reimburse them for fraudulent transactions, said Ross Anderson, professor of security engineering and an author of “Chip and Skim: Cloning EMV Cards With the Pre-Play Attack.”
“The random-number attacks have only been seen in one actual dispute case so far, but we have found noticeable patterns in the supposed random-number generators of slightly under half the terminals and ATMs tested,” he said.
It is unknown whether PayPal’s Marcus was the victim of this sort of breach, but his experience highlights a potential weakness that EMV is supposed to prevent. Security experts say the technology is far superior to the magnetic stripe cards that most Americans use.
Credit card issuers are pushing for widespread adoption of the chip cards by October 2015. Banks and merchants have been squabbling over the multibillion-dollar cost of conversion, though they generally agree that upgrades are necessary.
Thomas Borton of the Information Systems Audit and Control Association said the United States needs to adopt complementary antifraud technology such as tokenization, which generates a unique code for each transaction.
Proponents of chip card technology agree that additional antifraud controls are needed, but they stress that chip and pin cards should be a baseline for security.
“The Fed must not let banks do the same liability shift that occurred in Britain, and indeed also in Canada,” Anderson said.“All the fraud costs are dumped on either the merchant or the card-holder [in Britain], despite the fact that it’s the bank that operates the systems and pays the fraud detection agencies.
In his string of tweets, Marcus, who was not made available for further comment, never said whether the charges on his card were cleared up. He did take the opportunity to plug PayPal’s safeguards, saying the theft of his data would not have happened if the merchant had accepted PayPal.
“Obfuscating card data online, on mobile and now more and more offline remains one of PayPal’s strongest value props,” he said.