Fraud & Fallback: What You Need to Know About Skimming Attacks

The implementation of chip technology in payment cards has significantly transformed the landscape of fraud prevention. In October 2014, a significant shift occurred in chargeback rules, transferring fraud liability to the weakest link at the point of sale (POS). This shift mandated that any entity not equipped with chip-enabled technology would bear the fraud liability. By 2016 and 2017, this liability shift extended to automated teller machines (ATM) and interactive teller machines (ITM), prompting debit and credit card issuers to implement chip and contactless options to thwart magnetic stripe counterfeit card fraud.

POS & ATM/ITM Fallback: A Shift in Fraud Liability

Fallback authorizations were introduced following the rollout of chip technology. In instances where a chip card fails to read at a chip-enabled device, fallback authorizations allow the transaction to proceed using the card’s magnetic stripe at the POS or ATM/ITM. However, enabling fallback authorizations means that the card issuer relinquishes dispute and chargeback rights, thereby assuming liability for any unauthorized fraud losses. It is crucial that merchants’ POS devices and systems are properly programmed to accept chip-enabled cards seamlessly.

Fallback authorizations can occur in two primary circumstances: At POS devices and ATMs/ITMs. Notably, many instances of “skimming” card fraud involve cards that have been skimmed and subsequently fail to read at chip-enabled devices. Therefore, it is essential to determine whether your institution is allowing fallback authorizations for both POS and ATM/ITM transactions involving chip-enabled cards.

Point of Sale Fallback

Fallback can occur in two scenarios at POS:

Scenario #1: The Bad Actor: A bad actor inserts a chip card into a merchant’s chip-enabled, POS device, causing the chip to fail to read. The merchant then instructs the cardholder to swipe the card. If fallback is enabled, the transaction proceeds as a fallback magnetic stripe authorization. In this case, the card issuer forfeits chargeback rights against the merchant.

Scenario #2: The Legitimate Cardholder: A legitimate cardholder’s chip fails to read on the merchant’s chip-enabled POS device. The merchant instructs the cardholder to swipe the card, resulting in a fallback magnetic stripe authorization. Here again, the card issuer loses chargeback rights against the merchant. It is important to advise cardholders to report such occurrences, allowing the issuer to notify the card associations about the non-compliant merchant. Additionally, the issuer may need to reissue a new chip card to the cardholder, similar to the practice when a magnetic stripe was demagnetized before the chip rollout. If the cardholder’s chip works at other POS terminals, it indicates a programming issue with the initial merchant’s chip-enabled, POS device.

ATM/ITM Fallback

If your ATM or ITM is chip-enabled, and your issued cards are also chip-enabled, there is no justification for allowing fallback magnetic stripe authorizations. Should your institution still utilize outdated ATM network cards, which lack chip capability, it is advisable to transition these cards into your debit card program. For financial institutions that no longer issue these legacy ATM network cards, blocking fallback at your ATMs/ITMs will not pose any challenges. This measure will effectively prevent the use of both skimmed cards (issued by the credit union) and foreign cards, along with non-chip cards at your chip-enabled ATMs/ITMs.

How Fallback Attacks Occur

Fallback attacks occur on “skimmed” cards when a bad actor inserts a chip card, causing the chip to fail at either a POS or ATM/ITM. If your financial institution permits fallback when the chip authorization fails, the transaction will proceed as a magnetic stripe authorization. Enabling magnetic stripe fallback means relinquishing your chargeback rights against the card-present merchant. It is crucial to understand the risks associated with fallback authorizations on chip cards. Both chip cards and readers undergo rigorous testing and certification, making fallback incidents exceptionally rare.

The critical question is: Does your financial institution want to assume the fraud liability risk for magnetic stripe fallback fraud when chip technology fails?

If your institution authorizes a fallback transaction that is fraudulent, you will be liable for the resulting fraud losses.

Recognizing Authorization Fallback

• MasterCard’s chip card fallback entry mode is POS 80 when the chip card was unable to process, and the magnetic stripe read is the default.
• Visa’s chip card fallback is a POS 90 with a condition code to identify a magnetic stripe fallback authorization.

Risk Mitigation Steps

1. ATMs/ITMs

• Chip and Contactless Authorizations: Only allow chip or contactless authorizations at your ATMs/ITMs. Configure them to permit only POS 05 (chip) and, if supporting contactless, POS 07 (contactless) with Merchant Category Code (MCC) 6011 for electronic cash disbursements. This setup prevents fallback magnetic stripe authorizations, ensuring declined attempts if a card is skimmed.

2. POS Device Authorizations

• Monitor for Fallback Fraud: Ensure your current strategy minimizes POS fallback fraud. For example, limit POS fallback authorizations to a specific amount (e.g., $100) within a 24-hour period.
• Dispute/Chargeback Rights: Recognize that unauthorized POS fallback fraud on your chip cards leaves you with the fraud liability.
• Risk Assessment: Assess the balance between fallback fraud risk and customer service. Restricting to “chip on chip” or “contactless” authorizations reduces fallback fraud liability.
• Monitoring and Reporting: Regularly review authorization reports to identify problematic merchants and terminals, and report them to the card association.

3. Collaboration With Service Providers

• POS Terminals: Work with your card processor and authorization provider to prevent fallback authorizations on POS terminals.
• ATM/ITMs: Collaborate with your ATM/ITM authorization provider to prevent fallback authorizations.

4. Cardholder Education

• Promote Contactless Options: Encourage cardholders to use the contactless feature on their chip cards or mobile wallets if the chip fails at POS and ATMs/ITMs that have contactless enabled.

5. Addressing Skimming Attacks

• Vendor Collaboration: Work with your ATM/ITM vendor to address skimming issues, ensuring only POS 05 (chip) and POS 07 (contactless) authorizations are allowed to prevent fallback to a magnetic stripe authorization (POS 90).

The adoption of chip technology has been a pivotal advancement in fraud prevention, significantly shifting the responsibility for fraud liability. As the bad actors increasingly exploit fallback mechanisms, it is imperative for financial institutions to adapt and strengthen their security measures. By practicing these recommended steps, such as preventing or limiting fallback authorizations to chip and contactless authorizations, and closely monitoring POS and ATM/ITM activities, institutions can effectively mitigate risks and protect themselves from potential fraud losses.

Ann Davidson is Vice President Risk Consulting, Bond Division for Allied Solutions in Carmel, Ind.