That’s the Way the Chips Crumble

Chip cards were supposed to cut down on fraud. They may have just shifted it online.

A credit card being inserted into a chip reader to make a payment.
Clay Banks on Unsplash

When I was traveling in Australia recently, I had to explain repeatedly at restaurants and shops that my credit card actually had to be physically inserted into a machine in order to pay for something. Everyone in Sydney seemed to be using contactless payments that allowed them to just tap their credit cards to pay for things. It reminded me of the experience, not so many years ago, of explaining to foreign merchants that my credit card didn’t have a microchip and they had to swipe it. Of course, now that I finally have microchips in my cards, the rest of the world appears to be moving on.

Microchip credit cards officially took off in the United States when payment card companies announced a liability shift would go into effect in October 2015, forcing banks that didn’t issue chip-enabled cards and merchants that didn’t read those chips to cover the costs of any resulting fraud. So, years after Australia and most countries in Europe made the shift, U.S. banks and merchants finally began investing in microchip cards and the payment terminals needed to read them. It was a massively expensive undertaking for both the banks that had to reissue all their old credit cards and the stores that had to replace all their old payment terminals, but it was supposed to be worth it because it would dramatically drive down fraud by making it harder for criminals to steal our payment card numbers.

But as security journalist Brian Krebs reported last week, data from Gemini Advisory suggests that the chip cards have not necessarily dramatically reduced payment card fraud so much as they have shifted it online.

Gemini tracks black markets for stolen data to monitor how much those records are sold for and how widely they are available. Since many cybercriminals are driven by financial motives—i.e., they steal data because they want to make money—these prices are often a good indicator of what kinds of organizations and data sources are likely to be targeted. For instance, in 2014, as the U.S. was beginning to shift to chip cards, reports indicated that complete medical records were worth 10 times as much as stolen credit card numbers on the black market. There are many possible explanations for this: a glut of available stolen card numbers, concerns about the new chip technology making it harder to use those numbers, improving fraud detection and prevention systems being piloted by the banks and payment card networks. Meanwhile, medical records could be used to conduct lucrative insurance fraud and identity theft schemes. But regardless of the reason, the rising value of medical records spurred a wave of breaches directed at hospitals and medical insurance companies.

Now, however, the value of stolen payment card numbers is on the rise again, according to Krebs’ report. But it’s the value of payment card data stolen from online merchants that has doubled—not the card data stolen from point-of-sale terminals and brick-and-mortar retailers. This is a significant reversal for cybercriminals, since point-of-sale data used to be the gold standard for stolen payment card information; it came from cards that were still active, since they were being used to pay for things at the time they were stolen and, more importantly, contained all the information needed to manufacture a fraudulent physical card. The big money in payment card data breaches came from selling those fraudulent physical cards, since they allowed people to walk into stores and make purchases.

This “card-present” fraud had a significant advantage over buying things online with stolen credit card numbers, also called “card-not-present” fraud. For one thing, when you purchase something in a store, you don’t need to provide a shipping address or any information about how to deliver the purchase that could be traced back to you when the card is reported stolen. If the stolen card number is just used to purchase a service online (say, a Netflix subscription), rather than a physical item, that service can be canceled when the fraud is discovered. For this reason, data that could be used to manufacture physical card replicas used to sell for $15 to $20 per card, while online retail breach records that yielded data that could only be used for card-not-present fraud went for closer to $2 to $8 per account, according to Krebs’ analysis of Gemini’s data. Now the median price of both types of data is roughly equal, hovering around $15 per stolen record.

That’s because it’s now harder to manufacture fraudulent credit cards, because of the expense and complexity of forging a microchip. Plus, thanks to that microchip, many payment terminals for card-present transactions now store only a one-time code for a transaction rather than the actual card number. When you make online purchases, however, the microchip becomes irrelevant—you still just have to type in your card number and expiration date and security code. So it’s now become easier to steal payment information from online stores and also easier to conduct fraud online, because there’s no need to create a fancy imitation microchip card with your stolen data. Plus, there are more opportunities to find people’s billing addresses online even if they’re not included in stolen data sets (though usually they are when the data is stolen from an online retailer).

With demand for their data on the rise, online retailers have been targeted more frequently for breaches in the past year. In 2018, there was a 14 percent increase in payment card records stolen through e-commerce breaches, according to Gemini, though the vast majority continue to be stolen at point-of-sale devices (many of them at small businesses that did not make the shift to reading card chips or at gas stations, which were given extra time to implement the new payment technologies).

For online retailers, the message is clear: They’re a richer target for hackers than ever before, and they need to take seriously the threat of data breaches and invest heavily in securing customer payment data. For individuals worried about keeping their own money safe, the lessons are much the same as they were before microchips: Monitor your credit card bills closely, report any suspicious activity immediately, and perhaps pay a little extra attention to online purchases that you’re not sure you remember making, even if the website looks familiar or the charge is relatively small.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.