The chip and PIN payment card system – or EMV – is considered to be more secure than the magnetic strip one, but it’s also not bulletproof. Nevertheless, US banks and card issuers are finally planning to make the switch in the wake of the recent massive breaches that hit a number of US retailers.
The change is coming slowly, and most banks have yet to issue chip-based payment cards to its customers. But, curiously enough, some of them have already been fleeced via fraudulent chip-enabled transactions coming from Brazil.
How did that happen? The criminals got ahold of a batch of cards compromised in the Home Depot and other data breaches but, instead of using the stolen information to clone magnetic stripe cards and use them to buy stuff directly from retailers, they seem to have used a payment terminal that they have control over to manipulate data fields for transactions that are put through it.
“After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly,” Brian Krebs explained this “replay” attack.
They likely did this because they were pretty sure that the banks are still having problems with the implementation of the EMV protocol and they could take advantage of that, and as fraud analyst Avivah Litan noted, the probably “knew that if they encoded these as EMV transactions, the banks would loosen other fraud detection controls.”
According to her, this is not the first time that Brazilian crooks used this technique to pull of EMV-spoofing attacks.
Krebs tells of a small bank in New England which hasn’t reissued customer cards potentially compromised in the Home Depot breach as there was no indication that they were actually cloned and used, and because the move would result in considerable costs. Unfortunately, their decision was proven to be wrong after $120,000 in fraudulent charges from Brazilian stores were effected earlier this week in less than two days.
They managed to stop most of them, and now they still have to dispute charges in the amount $40,000 with the credit card companies. They might succeed because even though fraudulent charges coming in the form of EMV transactions are usually the responsibility of the bank, in this case the bank has not yet issued chip-enabled payment cards.
In the future, this type of attack will not be spotted so easily, and that’s why its important that banks implement the EMV system correctly, noted Litan.