It’s common, it’s probably just that there’s an active community here!
No, cloning the card chip is virtually impossible. The card will not, under any circumstances, reveal the keys that would be needed to make a working clone.
There’s a few things that can happen however:
The magnetic stripe can be cloned and fallback can be forced.
The magnetic stripe can be cloned and used at a non-EMV merchant.
A pre-play attack contactless magstripe transaction can be performed and replayed.
The details from the card can be used in a CNP (card not present) environment, which may occasionally not even require the CVC2 and thus details from the magstripe or chip can be used (the point of the CVC2 is that it isn’t on the magstripe or chip).
The magnetic stripe may be presented to a terminal as a contactless magstripe transaction, which might get approved due to poor formatting and tolerance for such of authorisation messages. I’ve seen this demoed and don’t know how feasible it still is, but I suspect it would work in at least some cases.
So no, don’t worry, the chip isn’t being copied, doing so is essentially impossible.
No, it just doesn’t… there has never been one proven case of an EMV card being cloned. The magstripe is easily cloned, but that alone shouldn’t get a thief far post-EMV migration (notes above what it can accomplish - fallback fraud and fraud at non-EMV merchants).
You are correct of course. I didn’t read the question properly, omitting the word “chip”. Cloning the Mag stripe is trivial, and in both cases were I had fraud on my card in the past, that’s what happened (with the cloned card then being used in America where EMV isn’t common.)
Definitely, though thankfully we’re at over 50% EMV in the US now. These last few weak areas are getting closed. Merchants worldwide are now liable for the cost of fraud if they use the magnetic stripe and it proves later to have been cloned (with some exceptions for things like pay at the pump fuel in the US and the like).
I think the next major fraud path we’ll see is contactless magstripe fraud in the US. Not quite as trivial as actual magstripe, but usable at far more shops (many shops use EMV for contact and magstripe mode for contactless still, in the US).
Surely, if you don’t know it’s been cloned, and you have no reason to get a new card… they can sit on it as long as they want? It will always work unless the card is cancelled or expires?
Cards are mostly stolen in huge batches at merchants with malware on point of sale systems. This will eventually get noticed by banks (by noticing higher levels of fraud only on cards used at this merchant) or by the merchant discovering the malware, at which point banks will cancel all the cards suspected to be breached, even if that particular card hasn’t been used for fraud yet. As a fraudster you want to cash out the card ASAP.