Despite EMV, most stolen card numbers come from chip-card-present transactions

New study finds nearly 46 million chip card numbers floating on the dark web

Sabrina Karl
Personal Finance Writer
Data whiz and visual storyteller

 

You’ve heard it before: Now that we all have chip cards, credit card thieves have had to shift their nefarious efforts to targeting online transactions. But not so fast.

True, the theft of card numbers from “card-not-present” transactions is on the rise. Those are the purchases we make by providing our card number online or via mail or telephone orders, where we never have to present, tap, swipe or insert our actual plastic card.

But new data from Gemini Advisory shows that the majority of stolen card numbers for sale on the dark web are still coming from “card-present” transactions, and almost all of them involve chip cards.

In fact, over a 12-month period from November 2017 to October 2018, Gemini found 6 in 10 card numbers for sale globally were acquired from in-person chip card transactions, and of those, 91 percent were American chip cards. In total, almost 46 million chip card numbers were found on the dark web.

If virtually all U.S. cards are now chip-enabled, why are card-present transactions still so vulnerable? The answer lies not in the cards themselves, but the other half of the transaction equation: the terminals where these cards are used. 

See related: Credit card losses from synthetic identity fraud jump

Some merchants have not yet installed a chip-enabled terminal. These are mostly gas stations, which have until 2020 to completely move from swiping cards to inserting chip cards, and other small to medium businesses, for which the investment can be a tough hurdle.

But even among merchants that have installed a chip-enabled terminal, some have failed to activate all of the chip security features, which is equivalent to letting customers insert their chip card, but then not closing and locking all the gates that would keep that number from reaching the dark web.

One thing is obvious: the U.S. market is the No. 1 target for credit card thieves, accounting for 79 percent of the stolen numbers. That’s 60 million American card numbers out of the 75.9 million that were for sale globally during the 12-month period.

And though thieves’ shift to card-not-present transactions is underway, the chip card transition – and the protections it can provide – is still a work in progress.

Gemini's research is based on proprietary telemetry data collected from various dark web sources over several years. It released this analysis of card data from the past 12 months on Nov. 5. 


Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.




Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.


Updated: 12-15-2018