A new study shows that the majority of stolen card numbers for sale on the dark web are still coming from “card-present” transactions, and almost all of them involve chip cards.
You’ve heard it before: Now that we all have chip cards, credit card thieves have had to shift their nefarious efforts to targeting online transactions. But not so fast.
True, the theft of card numbers from “card-not-present” transactions is on the rise. Those are the purchases we make by providing our card number online or via mail or telephone orders, where we never have to present, tap, swipe or insert our actual plastic card.
But new data from Gemini Advisory shows that the majority of stolen card numbers for sale on the dark web are still coming from “card-present” transactions, and almost all of them involve chip cards.
In fact, over a 12-month period from November 2017 to October 2018, Gemini found 6 in 10 card numbers for sale globally were acquired from in-person chip card transactions, and of those, 91 percent were American chip cards. In total, almost 46 million chip card numbers were found on the dark web.
If virtually all U.S. cards are now chip-enabled, why are card-present transactions still so vulnerable? The answer lies not in the cards themselves, but the other half of the transaction equation: the terminals where these cards are used.
Some merchants have not yet installed a chip-enabled terminal. These are mostly gas stations, which have until 2020 to completely move from swiping cards to inserting chip cards, and other small to medium businesses, for which the investment can be a tough hurdle.
But even among merchants that have installed a chip-enabled terminal, some have failed to activate all of the chip security features, which is equivalent to letting customers insert their chip card, but then not closing and locking all the gates that would keep that number from reaching the dark web.
One thing is obvious: the U.S. market is the No. 1 target for credit card thieves, accounting for 79 percent of the stolen numbers. That’s 60 million American card numbers out of the 75.9 million that were for sale globally during the 12-month period.
And though thieves’ shift to card-not-present transactions is underway, the chip card transition – and the protections it can provide – is still a work in progress.
Gemini’s research is based on proprietary telemetry data collected from various dark web sources over several years. It released this analysis of card data from the past 12 months on Nov. 5.