The new microchip-enabled credit and debit cards that millions of Americans are using are designed to make it harder for crooks to steal sensitive data. But, of course, that hasn't stopped them from coming up with sneaky new ways of trying.
State officials in New York are warning consumers of a new phishing scam involving so-called EMV chip cards, which were introduced in the U.S. three years ago and are becoming ubiquitous here. Scammers, pretending to be card issuers, are sending emails to individuals who haven't yet received their new chip cards, according to the New York State Department of State's Division of Consumer Protection (DCP).
The emails ask recipients to update their accounts by providing personal information in order to receive their new chip cards, or to click on a link to continue the process. By clicking on the link, malware can be installed on your computer or mobile device, according to the DCP.
EMV chip cards are, in fact, more secure than traditional magnetic-stripe cards, which store unchanging data that can be easily copied (skimmed) by thieves and used to produce counterfeit cards. Data-skimming devices are cheap and can be used by waiters and store clerks or be installed in ATMs and gas pumps, said David Robertson, publisher of The Nilson Report, a trade journal covering the payment-card industry.
Each time an EMV card is used for a payment, its computer chip -- which stores account data -- creates a unique code that cannot be reused for another transaction. The technology makes EMV cards more difficult to counterfeit and is already helping to reduce payment-card fraud, which topped $8 billion in the U.S. last year, according to The Nilson Report. Some merchants using chip-enabled payment terminals saw an 18 percent drop in counterfeit transactions in the last quarter of 2015, compared to the same period in 2014, according to Visa (V).
But DCP officials note that EMV cards are still vulnerable to fraud. Currently, most EMV cards in the U.S. are "chip-and-signature cards," which are less secure than the "chip-and-PIN" variety. With the former, a shopper simply needs to provide a signature to complete a purchase. With the later, a personal identification number must be entered at the point of sale.
If your chip-and-signature card is stolen, it's as vulnerable to fraudulent use -- whether for in-store or online purchases -- as a traditional magnetic-stripe card, DCP officials warn.
As issuers keep rolling out EMV cards, it's likely to make a big dent in counterfeit-card fraud, but crooks are adapting by trying easier ways to getting their hands on sensitive personal and account data. That's what the recent phishing scams aimed at consumers who haven't yet received their chip cards are trying to do.
Consumers who fall for such scams may be exposing themselves to identity theft, which is typically done for financial gain. By compiling profiles on individual consumers, some scammers are able to open credit cards in their victims' names, explained Robertson of The Nilson Report.
"The card issuer gets scammed into giving a new card with a line of credit in your name, and the criminal runs up the card by the time the issuer knows" what's happening, he said.