Payment fraud (carding) is constantly adapting to new technologies. Here are the key stages of its development and modern methods of attack.
For legal research:
Want an analysis of a specific attack (for example, how the Shimmer device works)? Or methods for protecting POS terminals?
1. The Magnetic Stripe Era (1960s–2000s)
Main vulnerabilities:
- Static data – card number, expiration date, CVV/CVC are stored in clear text.
- Easy cloning – just copy Track 1/Track 2 using a skimmer.
Typical attacks:
- Skimming is the installation of devices on ATMs to read data.
- Phishing – fake websites/calls to steal data.
- Leak Databases – Selling Card Dumps on the Darknet.
2. EMV Implementation (2000s – Present)
EMV (chip and PIN) has made cloning much more difficult, but fraudsters have found new loopholes.Why is EMV harder to hack?
- Dynamic cryptograms (ARQC) – unique for each transaction.
- ICC Private Key – stored in the Secure Element.
- Offline authentication (DDA/CDA) – prevents data tampering.
EMV Limitations:
- Fallback on magnetic stripe – if the chip is not readable, the terminal can use old data (vulnerability!).
- Contact and non-contact attacks – skimming has evolved.
3. Modern methods of EMV fraud
A. EMV Skimming (Shimmers)
- What is it? Miniature devices that fit into a chip slot.
- How does it work?
- Read data during a transaction.
- Record the PIN (if entered).
- But! They don't copy ICC Private Key → the clone works only in fallback mode.
B. Pre-play атаки (NFC)
- What is this? Contactless payment data interception (Apple Pay/Google Pay).
- How does it work?
- The attacker places the reader in the victim's pocket.
- Receives a cryptogram and uses it before it expires.
C. Attacks on POS Terminals
- Malware in terminals (eg Dexter, Chewbacca).
- Firmware substitution – the terminal sends data to scammers.
D. Social Engineering + EMV
- Phishing with SMS substitution (SIM-swap) – to steal OTP codes.
- Fake call centers – request card details “for verification”.
4. The Future: What Attacks Are Possible?
Threats to Contactless Payments (NFC):
- Relay attacks – intercepting the card signal from a distance.
- Tokenization attacks (Apple Pay/Google Pay).
Quantum Computing:
- RSA may be hacked in the future (but EMVCo is already testing post-quantum cryptography).
5. How are payment systems protected?
| Method | Description |
|---|---|
| Cancel fallback | Visa/Mastercard block magstripe transactions if the chip fails. |
| Tokenization | Apple Pay/Google Pay use one-time tokens instead of real PAN. |
| Biometrics | Face ID, Touch ID for payment confirmation. |
| Behavior Analysis | AI identifies suspicious transactions (e.g. payments from different countries). |
Conclusion
- Magnetic stripes are almost dead due to ease of cloning.
- EMV is secure, but fraudsters attack through skimming, POS hacks and social engineering.
- The future belongs to contactless payments with tokenization and biometrics.
For legal research:
- Study EMVCo specs, PCI DSS.
- Test vulnerabilities through Bug Bounty (HackerOne, Cobalt).
Want an analysis of a specific attack (for example, how the Shimmer device works)? Or methods for protecting POS terminals?
