While chip-and-PIN technology is meant to protect bank cards from card skimming, criminals have found ways to work around the chip’s protection.
That’s according to Nathan Desfontaines, who spoke at a recent meeting of the South African chapter of the International Association of Privacy Professionals.
Desfontaines said that although the chip on your bank card protects you from fraud by requiring a PIN for transactions, legacy support for swiping means that cards are still vulnerable.
Skimmers also exploit floor limits that banks afford to clients.
A floor limit is a set transaction value, below which the card machine does not authenticate a transaction with the bank.
Instead, the details of the transaction are held and processed in a batch at the end of an agreed period (daily, weekly, or monthly).
Floor limits are useful in places that deal with large volumes of customers, where the risk of authenticating a transaction later is worth the extra speed. Toll gates are an example.
Swiping without getting a PIN prompt
In South Africa, when you swipe a debit or credit card without putting in the chip first, it tells you to insert the chip part of the card.
This function is controlled by the card’s service code, said Desfontaines.
However, since the service code is stored on the card, skimmers can manipulate it to make the card behave as if it was not secured by a chip and PIN.
Luis Padilla from Universidad Complutense de Madrid published a specification of the data stored on the magnetic stripes of financial cards, including the service codes.
Examples of service codes may be found in a Visa newsletter on mitigating fraud risk through card data verification.
The infographic and photos below of a card skimming demo illustrate how track data is stored and what different service codes mean.