U.S. Banks Received Tens of Thousands of Dollars Charged on EMV Cards — Despite Not Having Sent Customers Chip-Enabled Cards!
During World War II, British intelligence used a real dead body to create a fictitious Royal Marine Major William Martin. The body was dropped in the sea by a submarine and washed ashore on a Spanish beach where it was hoped it would fall into the hands of German intelligence. Attached to the body was a briefcase containing letters falsely stating that an Allied attack would be launched against Sardinia and Greece rather than Sicily, where the invasion took place.
Operation Mincemeat, the macabre name given to the highly successful ruse which may have saved thousands of Allied lives, was turned into a book and movie titled, The Man Who Never Was. Now, Brian Krebs on his blog, KrebsonSecurity.com, relates the story of the EMV Cards that never were and the very real fraudulent credit and debit card transactions that could cost financial institutions in the USA and Canada tens of thousands of dollars. The following has been excerpted from Krebs blog and edited to fit our format. You may find the complete, unedited article by clicking on this link.
Card data compromised as part of Home Depot breach
[At] least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.
[All the charges were] submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards [hadn’t] begun sending customers chip-enabled cards.
Charges difficult to dispute
Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).
However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — even fraudulent charges disguised as these pseudo-chip transactions.
According to [one bank Krebs spoke with], MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.
Bad EMV implementation at Canadian bank
Avivah Litan, a fraud analyst with Gartner Inc., said banks in Canada saw the same EMV-spoofing attacks emanating from Brazil several months ago. One of the banks there suffered a fairly large loss, she said, because the bank wasn’t checking the cryptograms or counters on the EMV transactions.
“The [Canadian] bank in this case would take any old cryptogram and they weren’t checking that one-time code because they didn’t have it implemented correctly,” Litan said. “If they saw an EMV transaction and didn’t see the code, they would just authorize the transaction.”
Litan said the fraudsters likely knew that the Canadian bank wasn’t checking the cryptogram and that it wasn’t looking for the dynamic counter code.
It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it.
Cybercriminals kept doubling down
[It] appears that the largest share of those phony transactions were put through using a payment system called Payleven, a mobile payment service popular in Europe and Brazil that is similar in operation to Square. Most of the transactions were for escalating amounts — nearly doubling with each transaction — indicating the fraudsters were putting through debit charges to see how much money they could drain from the compromised accounts.
Important to set up EMV properly
[Litan observes] “A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly. They won’t expect the point-of-sale codes to be manipulated by fraudsters.
ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.