• Home
  • Apple Pay
  • News
  • Flaw in Chip-Based Credit Cards Could Allow Bad Guys to Create Counterfeit Cards

Flaw in Chip-Based Credit Cards Could Allow Bad Guys to Create Counterfeit Cards

Flaw in Chip-Based Credit Cards Could Allow Bad Guys to Create Counterfeit Cards

Reason #2,723 why NFC-based payments systems like Apple Pay and Android Pay are safer than EMV chip-based credit and debit cards: Computer researchers at payment technology company NCR have discovered a flaw in chip-based credit cards that allows thieves to create counterfeit cards by rewriting a card’s magnetic strip code to make it appear to be an old-school chipless card.

Flaw in Chip-Based Credit Cards Could Allow Bad Guys to Create Counterfeit Cards

NY Daily News:

Chip cards — which became a nationwide upgrade over the past two years — are supposed to be nearly impossible to counterfeit, but researchers said this security flaw exists because of retailers failing to encrypt transactions when upgrading their payment machines.

“There’s a common misperception EMV solves everything. It doesn’t,” Patrick Watson, researcher at NCR, told CNNMoney.

NCR announced their discovery at the Black Hat computer security conference Wednesday, and not everyone agrees with them that the “flaw” would allow a bad guy to pull off a fraudulent charge.

Randy Vanderhoof, director at U.S. Payments Forum, said that altering the data on the magnetic stripe might fool the terminal, but that on the back end the system would still reject the transaction.

NCR points out that whether the bad guys can rewrite a magnetic strip or not, retailers should still be encrypting every transaction, even if it costs them extra to do so. (It should be noted that NCR offers such services.)

While not every retailer encrypts each credit or debit card transaction, customers can protect themselves by using special payment systems available on smartphones from Apple, Samsung, and other device makers. Apple Pay, and other NFC-based payments systems, encrypt each transaction, and don’t use the customer’s actual credit card number for the transaction, instead using an end-to-end encrypted one-time token to complete the payment.