A strange case of credit card fraud out of Brazil has American banks and credit-card companies arguing over just who's responsible for eating the cost — and unintentionally provides a reminder that, while chip-based credit cards might be less insecure than magnetic-strip cards, determined thieves can still find ways around that.
Security blogger Brian Krebs first reported that at least three unnamed U.S. financial institutions have ...
reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.
The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard's networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.
EMV chip
“Chip-enabled” cards refer to cards outfitted with an EMV chip. Last March, MasterCard and VISA announced that they had formed a “new cross-industry group focused on enhancing payment system security,” first by replacing American magnetic-strip credit cards with the chips.
EMV stands for “Europay, MasterCard and Visa,” the three companies which first developed the technology. It's been around since the early 1990s and has been in common use throughout the world (except the U.S.) for roughly a decade now. An EMV stores information on an encrypted microchip, rather than a non-encrypted (and relatively easy to counterfeit) magnetic strip.
EMV cards also tend to require a personal identification number (PIN) at point of sale. These features do not make it impossible for hackers to steal money from accounts, but they are supposed to make thieves' lives far more difficult, by making it harder for them to actually use any account numbers they manage to steal.
Clearly, that didn't happen with the latest case of card fraud out of Brazil. Krebs' source at a certain New England bank said that they first detected a problem last week when, during a two-day period, the bank got $120,000 worth of fraudulent charges posted from stores in Brazil. Krebs reports that:
The bank managed to block $80,000 of those fraudulent charges, but the bank’s processor, which approves incoming transactions when the bank’s core systems are offline, let through the other $40,000. All of the transactions were debit charges, and all came across MasterCard’s network looking to MasterCard like chip transactions without a PIN.
Replay attack
How could that have happened? Remember: those weren't even real chip cards; they were magnetic-strip accounts. Krebs said his bank source said the bank “initially considered the possibility that the perpetrators had somehow figured out how to clone chip cards and had encoded the cards with their customers’ card data. In theory, however, it should not be possible to easily clone a chip card.”
Indeed, that's supposed to be the whole point of the cards: an encrypted chip is much harder to counterfeit than an easy-to-read magnetic strip (and even if some hacker or thief does manage to crack the encryption and read what's on the chip, that still isn't supposed to do him any good unless he has the PIN, too).
Yet somehow, fraudsters managed to take non-chip cards and convince MasterCard and VISA to accept them as chip cards without a PIN. How? Neither MasterCard nor VISA have said anything on the record, but Krebs' anonymous bank source said that the most likely culprit is what's known as a “replay” attack:
According to the bank, MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.
Who pays?
Which still leaves open the question of who should have to pay for the fraudulent transactions: the bank, the credit card company, the payment-terminal controller, or the retailer who accepted payment with it?
Avivah Litan, a fruad analyst with Gartner, Inc., told Krebs that “There’s going to be a lot of confusion when banks roll out EMV, and one thing I’ve learned from clients is how hard it is to implement properly …. A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly. They won’t expect the point-of-sale codes to be manipulated by fraudsters. That’s the irony: We think EMV is going to solve all our card fraud problems, but doing it correctly is going to take a lot longer than we thought. It’s not that easy.”