News

US banks hit with EMV fraud (yes, EMV fraud)

Fraudsters are devoting their energies to exploiting holes in the smart chip transaction process. And it seems that they have found a few.

October 28, 2014

As the U.S. finally moves toward EMV implementation, fraudsters are devoting more energy to exploiting holes in the smart chip transaction process. And it seems that they have found a few.

A report byKrebs on Securitysaid that at least three U.S. banks have been hit recently with fraudulent EMV transactions. All of the charges passed through the Visa and MasterCard networks as EMV transactions. However, the banks involved had not even begun to issue chip cards yet, the report said. One bank managed to reject some $80,000 in charges, but its processor accepted $40,000 when the bank's systems were offline.

The charges appeared to be EMV debit transactions without PIN numbers. According to Krebs, the New England bank was told by MasterCard that the thieves had "spoofed" EMV transactions using mag stripe data that was most likely stolen in the Home Depot data breach:

According to the bank, MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.

Without the ability to compare the cryptographic code or check the transaction counter code — both of which reside within the chip — the processor could not detect the spoof.

Krebs reported that a similar fraud was carried out against a Canadian bank that hadn't correctly implemented EMV and, as a result, was not comparing cryptograms or monitoring transaction counters.