New EVM card phishing scam targets credit users

While the cards are better at combating fraud, gaps remain in their security features.

With the transition to the more secure EMV chip credit cards, many consumers have begun to feel a sense of security. Yet scammers have already started to adapt to the new technology, targeting users with a new data phishing scheme built around confusion over the switch to the new technology. The scam involves sending users sophisticated emails put together to resemble official correspondence from a legitimate lender or creditor.

“While the cards are better at combating fraud, gaps remain in their security features.”

“So now they’re sending much more legitimate emails,” says Bonnie Smyre, an Internet security expert RAXIS. “It’s hard to tell that they’re fake. They often fake an email address so it looks like it’s from your bank. They use graphics from your bank. It looks very legit then they ask you, ‘You need to update your information. Your card is on the way, but before it can take effect we need your personal and banking information to be updated’.”

This highlights the fact that, while the cards are better at combating fraud, gaps remain in their security features. Many U.S. banks have been opting to issue EMV cards that offer transactions built around “chip ‘n’ signature” instead of the more secure two-step authentication with a chip and pin code.

“Chip and PIN has been proven to combat fraud dramatically,” says Brian Dodge, executive vice president of the Retail Industry Leaders Association. “But that’s not what American consumers are getting, and thus far banks have gone to great lengths to blur the lines between the two distinctly different transactions.”

Aided by lax standards by banks, scammers continue to innovate and the potential for fraud remains high. Researchers have already found a vulnerability that would allow an attacker to generate the supposedly secure unique transaction code that is the key to the EMV cards’ security, making it only be a matter of time before they can clone the chip as well.

“If you only have one way of stopping the cyber thief, they’re going to put all their energy into getting around that,” says Jason Brewer, spokesman for the Retail Industry Leaders Association. “By not having the PIN, you’re only forcing them to figure out a way to get around the chip. There are already skimmers [devices placed on card readers to sniff data] trying to figure out how to get around the chip. Why not do the two-factor authentication?”

The answer to this question is complex: Even with the millions of dollars lost every year by retail fraud, banks are dragging their feet when it comes to educating consumers about how to use the new cards, or even the reason that they are receiving them. This has led to a systemic culture of insecurity and credit risk that undermines the effectiveness of the new technology.

Request a Demo

From loan originations and decisioning, to customer management and beyond, GDS Link helps thousands of clients manage risk while driving growth.