{"id":25658,"date":"2023-03-10T02:39:21","date_gmt":"2023-03-10T07:39:21","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/how-to-protect-emv-and-nfc-bank-cards\/25658\/"},"modified":"2023-03-16T16:18:37","modified_gmt":"2023-03-16T16:18:37","slug":"how-to-protect-emv-and-nfc-bank-cards","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/how-to-protect-emv-and-nfc-bank-cards\/25658\/","title":{"rendered":"How cybercriminals steal funds from bank cards \u2014 and how to protect yourself from such theft"},"content":{"rendered":"<p>Payment services have become both more convenient and more secure over recent years \u2014 but cybercriminals are still managing to steal funds from cards all around the world. What are the most common methods used for such theft, and how can you counteract them?<\/p>\n<h2>Card cloning<\/h2>\n<p>When cards only stored information on a magnetic strip, it was quite easy for fraudsters to produce an exact copy of a card and use it for payments in stores and withdrawals at ATMs. At first, the data was read with a special device \u2014 a skimmer that was mounted on an ATM or a terminal in a store. This was supplemented by a camera or a special pad on the terminal keyboard to find out the card\u2019s PIN code. Having obtained a card dump and a PIN, fraudsters wrote the data to a blank card and used it at an ATM or in a store.<\/p>\n<p>This technology still works in some parts of the world, but the advent of chip cards has greatly reduced its effectiveness. A card with a chip is not so easy to copy. That\u2019s why criminals started infecting payment terminals with malicious code that copies some data from the card while processing a legitimate purchase. Subsequently, the scammers send cleverly generated payment requests using this information. In essence, they only send data that was previously recorded on the magnetic strip, but label the transaction as being conducted by the chip. This is possible where banks don\u2019t cross-reference various transaction parameters in sufficient detail and incorrectly implement the <a href=\"https:\/\/en.wikipedia.org\/wiki\/EMV\" target=\"_blank\" rel=\"nofollow noopener\">EMV<\/a> protocols that all chip-card actions must abide by.<\/p>\n<p>With banks that don\u2019t suffer from such laxity, attackers use an even more sophisticated trick. When the victim makes a legitimate payment, the infected payment terminal requests that the inserted card <a href=\"https:\/\/securelist.com\/prilex-atm-pos-malware-evolution\/107551\/\" target=\"_blank\" rel=\"noopener\">generates another fraudulent transaction<\/a>. Thus, the card itself isn\u2019t copied, but extra funds are deducted from it anyway.<\/p>\n<p><strong>How to protect yourself:<\/strong> try to use the contactless payment function on your phone, which is better protected. If you still need to insert a card into a terminal, carefully check the PIN-code panel for suspicious modifications. Also, cover the panel with your hand, purse or other object when entering the code. If the terminal <a href=\"https:\/\/www.kaspersky.com\/blog\/prilex-blocks-nfc\/47044\/\" target=\"_blank\" rel=\"noopener nofollow\">suddenly does not accept contactless payment<\/a>, unusual messages appear on its screen, or the PIN needs to be entered repeatedly, this is a reason to be suspicious and take additional protective measures. You could, for example, immediately check your account statement, or set a low limit for spending money on the card.<\/p>\n<blockquote><p><strong>\u201cBulletproof\u201d wallets<\/strong><br>\nThere are <a href=\"https:\/\/en.wikipedia.org\/wiki\/Radio-frequency_identification\" target=\"_blank\" rel=\"nofollow noopener\">RFID<\/a>-protected <a href=\"https:\/\/www.travelandleisure.com\/best-products\/best-rfid-blocking-wallets\" target=\"_blank\" rel=\"nofollow noopener\">wallets<\/a> and <a href=\"https:\/\/www.amazon.com\/RFID-Purse\/s?k=RFID+Purse\" target=\"_blank\" rel=\"nofollow noopener\">purses<\/a> available to buy these days, which protect physical cards inside one from being read remotely, for example on public transport. There\u2019s nothing wrong with such protection\u00a0\u2014 it really does work. However, this attack scenario is virtually never used in practice. You can read only basic information from the card during such a quick scan, and that usually isn\u2019t enough for making a payment. At the same time, it\u2019s easy to find out the last locations and amounts of contactless payment, though!<\/p><\/blockquote>\n<h2>Card data theft via the internet<\/h2>\n<p>Here, scammers are after bank-card details so they can make payments online. These usually include the card number, expiration date, and verification code (CVV\/CVC); also, depending on the country, the cardholder\u2019s name, zip code, or passport number may also be sought. There are at least three effective ways the scammers collect this data:<\/p>\n<ol>\n<li>Luring it out of the victim by organizing a fake online store, a phishing <a href=\"https:\/\/www.kaspersky.com\/blog\/amazon-related-phishing-scam\/37801\/\" target=\"_blank\" rel=\"noopener nofollow\">copy of a real online store<\/a>, or under the guise of raising money for charity.<\/li>\n<li>Intercepting information by infecting either the web page of the actual online store (web skimmers) or the victim\u2019s computer\/smartphone (banking Trojan).<\/li>\n<li>Hacking into a real online store and stealing stored customer payment card information. Note that stores are not supposed to keep the full card information, but this rule is unfortunately sometimes breached.<\/li>\n<\/ol>\n<p>Overall, this method of theft, though old, is here to stay; for example, according to our analysis, bank-data theft-attacks almost <a href=\"https:\/\/www.kaspersky.com\/about\/press-releases\/2022_black-friday-report-banking-credentials-theft-doubled-in-2022\" target=\"_blank\" rel=\"noopener nofollow\">doubled<\/a> in 2022.<\/p>\n<p><strong>How to protect yourself:<\/strong> first, get a virtual card for online payments. If it\u2019s not too difficult or expensive, have a new virtual card issued and block the old one at least once a year. Second, set a low limit on your online payment card, or just keep a very small amount of money on it. Third, make sure that the bank always requires you to confirm online payments with a one-time code (using 3-D Secure or similar mechanisms). And fourth, carefully check the payment forms and addresses of the sites where you enter financial information. To worry less about this problem, use <a href=\"https:\/\/www.kaspersky.co.uk\/premium?icid=gb_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">cybersecurity tools<\/a> that safely protect online payments.<\/p>\n<h2>Old-fashioned card and phone theft<\/h2>\n<p>This is the most noticeable and blatant theft method, but it\u2019s still common. Savvy criminals can use cards for online payments by finding an online store that doesn\u2019t require entering additional verification codes. A simpler but no less effective way is to use a stolen card for a contactless payment that doesn\u2019t require entering a PIN. There\u2019s usually a limit for payments made this way, and in some countries <a href=\"https:\/\/www.card-saver.co.uk\/contactless-payments-will-now-be-declined-if-used-five-times-in-a-row-heres-why\/\" target=\"_blank\" rel=\"nofollow noopener\">after three to five such payments<\/a> the card is blocked, but in the UK for example, a victim\u2019s losses from this primitive method of theft can easily reach 500 pounds sterling (5\u00a0\u00d7\u00a0<a href=\"https:\/\/www.ukfinance.org.uk\/press\/press-releases\/contactless-limit-increase-100-15-october\" target=\"_blank\" rel=\"nofollow noopener\">\u00a3100<\/a>). A phone is always valuable to thieves, and if it has Google Pay enabled, it\u2019s possible to pay even from a blocked one within the allowable payment limit, causing additional loss to the victim.<\/p>\n<p>Security researchers have shown that even if a card is blocked after entering the wrong PIN three times, it\u2019s still sometimes <a href=\"https:\/\/www.paymentvillage.org\/blog\/modern-emv-and-nfc-cardholder-verification-issues\" target=\"_blank\" rel=\"nofollow noopener\">possible<\/a> to make contactless payments. An attacker could also <a href=\"https:\/\/www.paymentvillage.org\/blog\/how-to-clone-google-paymastercard-transactions\" target=\"_blank\" rel=\"nofollow noopener\">exchange some data with a blocked phone<\/a> and then use modified records of that exchange to make one-time fraudulent payments. Fortunately, both attack types have been detected by ethical researchers, so there\u2019s hope that scammers aren\u2019t using these methods yet.<\/p>\n<p><strong>How to protect yourself:<\/strong> it\u2019s best to set relatively small spending limits on cards for daily use. If your bank allows it, you can separately set a low limit for contactless payments. Of course, you should make sure that you can increase the limit quickly should the need arise. Alternatively, you can have a virtual card issued with low limits and link Google\/Apple\/Samsung Pay to it. If the payment app can be set up to only allow payments from an unlocked phone, do so.<\/p>\n<p>In conclusion, we note that rules are emerging in many countries whereby victims are partially or fully compensated for fraud. To take advantage of this, we recommend you to be careful with any card payments, set up the fastest way to be notified of them (push or SMS), and contact your bank as soon as possible if you see any suspicious transactions.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-geek\">\n","protected":false},"excerpt":{"rendered":"<p>We investigate why chip cards are no panacea, and what precautions should be taken when making a payment.<\/p>\n","protected":false},"author":2722,"featured_media":25659,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2026,9],"tags":[796,905,697,80,2250,797,179,701,529,131],"class_list":{"0":"post-25658","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"category-tips","9":"tag-apple-pay","10":"tag-bank-cards","11":"tag-banks","12":"tag-fraud","13":"tag-google-pay","14":"tag-nfc","15":"tag-safe-money","16":"tag-scam","17":"tag-threats","18":"tag-tips"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/how-to-protect-emv-and-nfc-bank-cards\/25658\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/how-to-protect-emv-and-nfc-bank-cards\/25369\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/how-to-protect-emv-and-nfc-bank-cards\/20808\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/how-to-protect-emv-and-nfc-bank-cards\/10461\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/how-to-protect-emv-and-nfc-bank-cards\/27975\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/how-to-protect-emv-and-nfc-bank-cards\/26092\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/how-to-protect-emv-and-nfc-bank-cards\/28540\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/how-to-protect-emv-and-nfc-bank-cards\/34844\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/how-to-protect-emv-and-nfc-bank-cards\/11374\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/how-to-protect-emv-and-nfc-bank-cards\/47475\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/how-to-protect-emv-and-nfc-bank-cards\/20316\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/how-to-protect-emv-and-nfc-bank-cards\/20934\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/how-to-protect-emv-and-nfc-bank-cards\/29901\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/how-to-protect-emv-and-nfc-bank-cards\/33444\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/how-to-protect-emv-and-nfc-bank-cards\/25965\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/how-to-protect-emv-and-nfc-bank-cards\/31678\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/how-to-protect-emv-and-nfc-bank-cards\/31383\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/safe-money\/","name":"safe money"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/25658","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=25658"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/25658\/revisions"}],"predecessor-version":[{"id":25676,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/25658\/revisions\/25676"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/25659"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=25658"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=25658"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=25658"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}