PayPal President’s EMV Card Skimmed During UK Visit

David Marcus, president of PayPal, admitted on Twitter Monday that his Europay, MasterCard and Visa (EMV) credit card was skimmed during a recent visit to the UK. The culprit then used the information to make a series of purchases.

Chip cards cannot be cloned, so how was Marcus’ card compromised?

Toronto-based security expert Chris Mathers believes what likely happened is that the chip card terminal had an issue processing the card as a chip card and instead processed it like it would an ordinary mag-stripe card.

“It’s happened to me here in Canada a couple of times, and we’re exclusively chip here,” Mathers said. “I’ve put my card in and the merchant says ‘we’re not reading your chip. Swipe it’. I think it’s because the cards and the machines can’t talk to each other all over the world. There’s no common international protocol. There are varying degrees of card security depending on the jurisdiction you’re in.”

Marcus’ mishap is sobering news for chip-card advocates because it calls into question the security of chip cards. Some security experts have warned that chip cards would not have prevented the recent breach at US retailer Target, Digital Transactions noted. Given that data can still be transmitted unencrypted, or in plain text, during an EMV transaction, fraudsters could still theoretically intercept the same data they would from mag-stripe cards, such as the primary account number (PAN), card expiration date and cardholder name.

EMV proponents say that information would be useless to hackers because it is still virtually impossible to clone a chip card. But they could still use that data to make purchases online, where not having the chip wouldn’t matter.

“The same controls that would keep the data safe in an EMV world would also keep the data safe in a Non-EMV world,” wrote business security specialist Branden R. Williams, in a blog post. “So, the stock answer is no, EMV by itself would not have prevented the Target breach. In fact, we know that EMV actually facilitates card-not-present fraud due to their handling of ‘routing information,’ which is what we call ‘sensitive authentication information,’ or the data that is typically known in the mag-stripe as tracks data.”

However, other experts insist that such a breach could not have happened with EMV, as the encryption is said to begin at the point-of-sale (POS) terminal. “The minute you put your information in, it’s encrypted there,” said Mathers. “I’m not going to say it’s not possible – as we know, anything is possible. But the encryption starts at the POS terminal, which is supposed to provide you with an extra level of security. So the overriding question is, how long will that extra level of security hold?”


Related reading