More NewsPayPal President’s EMV Card Skimmed During UK Visit

PayPal President’s EMV Card Skimmed During UK Visit

David Marcus, president of PayPal, admitted on Twitter Monday that his Europay, MasterCard and Visa (EMV) credit card was skimmed during a recent visit to the UK. The culprit then used the information to make a series of purchases.

Chip cards cannot be cloned, so how was Marcus’ card compromised?

Toronto-based security expert Chris Mathers believes what likely happened is that the chip card terminal had an issue processing the card as a chip card and instead processed it like it would an ordinary mag-stripe card.

“It’s happened to me here in Canada a couple of times, and we’re exclusively chip here,” Mathers said. “I’ve put my card in and the merchant says ‘we’re not reading your chip. Swipe it’. I think it’s because the cards and the machines can’t talk to each other all over the world. There’s no common international protocol. There are varying degrees of card security depending on the jurisdiction you’re in.”

Marcus’ mishap is sobering news for chip-card advocates because it calls into question the security of chip cards. Some security experts have warned that chip cards would not have prevented the recent breach at US retailer Target, Digital Transactions noted. Given that data can still be transmitted unencrypted, or in plain text, during an EMV transaction, fraudsters could still theoretically intercept the same data they would from mag-stripe cards, such as the primary account number (PAN), card expiration date and cardholder name.

EMV proponents say that information would be useless to hackers because it is still virtually impossible to clone a chip card. But they could still use that data to make purchases online, where not having the chip wouldn’t matter.

“The same controls that would keep the data safe in an EMV world would also keep the data safe in a Non-EMV world,” wrote business security specialist Branden R. Williams, in a blog post. “So, the stock answer is no, EMV by itself would not have prevented the Target breach. In fact, we know that EMV actually facilitates card-not-present fraud due to their handling of ‘routing information,’ which is what we call ‘sensitive authentication information,’ or the data that is typically known in the mag-stripe as tracks data.”

However, other experts insist that such a breach could not have happened with EMV, as the encryption is said to begin at the point-of-sale (POS) terminal. “The minute you put your information in, it’s encrypted there,” said Mathers. “I’m not going to say it’s not possible – as we know, anything is possible. But the encryption starts at the POS terminal, which is supposed to provide you with an extra level of security. So the overriding question is, how long will that extra level of security hold?”

Related Articles

Infosys Finacle to power Santander UK’s international cash management system

More News Infosys Finacle to power Santander UK’s international cash management system

4w The Global Treasurer
Preparing for GDPR? Here’s four things to consider

More News Preparing for GDPR? Here’s four things to consider

4m Elliott Wiseman
Cash flow in focus for investors

Cash Management Cash flow in focus for investors

5m Conor Deegan
Treasury TV: Karen Pugsley, Domino's Pizza Group

More News Treasury TV: Karen Pugsley, Domino's Pizza Group

5m Victoria Beckett
Treasury TV: Yeng Butler compares US and European MMF reforms

Compliance Treasury TV: Yeng Butler compares US and European MMF reforms

5m Victoria Beckett
Treasury TV: Tim de Knegt, The Port of Rotterdam

10 Minutes With The Treasury Treasury TV: Tim de Knegt, The Port of Rotterdam

6m Victoria Beckett
Banks are selling clients short with short dated cash deposit U-turns

Banking Banks are selling clients short with short dated cash deposit U-turns

6m Victoria Beckett
What does sterling’s Brexit boost mean for UK manufacturers?

More News What does sterling’s Brexit boost mean for UK manufacturers?

6m Tasja Botha