News
Hackers stole $1.66M from German bank OLB by cloning EVM cards
September 6, 2019
EVM (chip and pin technology) was supposed to help make credit and debit cards safe from fraud, but it isn't completely foolproof.
As ZDnet first reported, cyber criminals have stolen more than 1.5 million euros ($1.66 million) from German bank Oldenburgische Landesbank by cloning customer debit cards. The cards were protected by EMV technology.
According to a statement released by the bank on Aug. 27, the incident involved Mastercard debit cards issued by OLB for 2,000 customers. OLB has refunded all of its affected customers and also blocked the Mastercard debit cards. The bank is now in the process of issuing new cards to its users.
OLB also confirmed the incident was not the result of a data breach at OLB, Mastercard or any third party. The bank surmised that the incident was more likely the handiwork of an "organized cybercrime involving counterfeit cards and terminals."
Many EMV cards still have a magnetic stripe on the back. The track two data on the stripe is identical to the data encoded on the chip. Yet, while thieves may be able to steal data on the cards using skimmers or simply by intercepting the conversation between the card and a point-of-sale terminal, they still need to clone the cards — a task made more difficult with the chips.
But according to a Kaspersky report put out last year, a criminal gang in Brazil has developed an infrastructure that can do just that.
It's worth nothing that the Brazilian group Kapersky studied obtained card data using malware that modified POS software to allow a third party to capture the data transmitted by the POS to the bank. “Basically, when you pay at a local shop whose POS terminal is infected, your card data is transferred right away to the criminals,” Kapersky wrote.
In a recent interview, Scott Schober, cybersecurity expert and CEO of Berkeley Varitronics Systems, told ATM Marketplace that eliminating magnetic stripes on the back of cards could help to make them more secure. "Until the payment industry completely migrates away from magstripes on debit and credit cards, cybercriminals will continue to skim every penny they can. The payment industry needs to upgrade their infrastructure to accept EMV-only cards," he said.
