What is Cloning

Cloning is the copying of stolen credit or debit card information to a new card. Cloning, also called skimming, requires copying information at a credit card terminal using an electronic device or software, then transferring the information from the stolen card to a new card or to rewrite an existing card with the information.

Breaking Down Cloning

Cloning employs an electronic device to scan the card, so does not require the physical card to be stolen. An employee would use a portable reader to scan the card prior to inserting it into a credit card terminal. This allows the information on a magnetic strip card, which is typically encrypted during the transaction process, to be recorded in the device memory. Once the information is recorded it can be transferred onto the magnetic strip of a new card, or can be used to overwrite data on an already stolen credit card. For cards that use a PIN number in addition to a magnetic strip, the PIN would need to be observed and recorded.

Chip Cards vs Magnetic Card Theft

A chip card is a standard-size plastic debit card or credit card that contains an embedded microchip as well as a traditional magnetic stripe. Chip cards also are referred to as smart cards or EMV cards. EMV stands for Europay, MasterCard, Visa. It is the global standard for chip-based debit and credit transactions. The chip encrypts information to increase data security when making transactions at terminals or ATMs that are chip enabled. Chip card technology provides an additional layer of security when used at a chip-enabled terminal. Chip technology may help reduce certain types of fraud resulting from data breaches; however, it will not prevent a data breach. The chip makes the transaction more secure by encrypting information when completing a transaction at a chip-enabled terminal. As a result, both chip and pin as well as chip and signature transactions offer enhanced security against counterfeiting.

EMV cards employ and authentication protocol that requires point-of-sale (POS) terminals or  automated teller machines (ATMs) to generate a nonce, called the unpredictable number, for each transaction to ensure it is new. Some EMV implementers have used simple counters, timestamps or algorithms to supply this number. This exposes them to a so-called pre-play attack that is indistinguishable from card cloning because it accesses the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically, extracting the account information and loading it into another card. Card cloning is the type of fraud that EMV was designed to prevent.