Bogus Credit Card Charges Look Like They Were Made With Chip-Enabled Cards

chipcardAs banks begin rolling out new credit cards embedded with microchips intended to help prevent fraudulent use, some financial institutions are reportedly seeing a spike in bogus transaction charges that appear to be coming from these newer cards, even though chip-enabled cards have yet to be sent out.

This is according to KrebsOnSecurity.com, which reports that at least three U.S. banks have recently seen tens of thousands of fraudulent transactions coming from Brazil that are not only using account numbers stolen from data heists like the massive Home Depot breach, but which are being processed through the Visa and MasterCard networks as if they are coming from chip-enabled cards.

One small New England bank tells Krebs that it saw around $120,000 in bogus charges from Brazil in just a two-day period last week. All of those purchases came through the MasterCard network as if they were from new, chip-enabled cards. Luckily, it was able to block $80,000 of these transactions from going through, but it could still be on the hook for the remaining $40,000.

The accounts in question had been associated with the recent Home Depot breach, but the bank said that it had previously seen almost no attempts to make fraudulent purchases with that stolen info. Then came last week.

“We saw very low penetration rates on our Home Depot cards, so we didn’t do a mass reissue,” a rep for the bank tells Krebs. “And then in one day we matched a month’s worth of fraud on those cards thanks to these charges from Brazil.”

Since the bank has not yet released chip-embedded cards, how are the thieves tricking the MasterCard and Visa networks?

In the case of the New England bank, it says that MasterCard initially insisted that the purchases had to have been made with the physical chip-embedded cards. But not only has the bank not released any of these cards, its payment processor hasn’t yet been certified by MasterCard to handle these sorts of transactions.

The microchips themselves are apparently quite hard and expensive to clone and Krebs explains that there are additional security checks that banks can use to validate chip card transactions:

The chip stores encrypted data about the cardholder account, as well as a “cryptogram” that allows banks to tell whether a card or transaction has been modified in any way. The chip also includes an internal counter mechanism that gets incremented with each sequential transaction, so that a duplicate counter value or one that skips ahead may indicate data copying or other fraud to the bank that issued the card.

Since no one is speaking on the record about these bogus purchases, insiders tell Krebs that the most likely explanation for the trickery is what’s known as a “replay” attack.

It’s believed that the fraudsters in this case had control of a payment terminal and could manipulate data fields for transactions put through that terminal.

Once they had data from a genuine chip card transaction, they could basically fill in the blanks with the stolen card numbers and the other necessary info.

Avivah Litan, a fraud analyst with Gartner Inc., tells Krebs that Brazilian scammers were recently able to pull this sort of fraud on a Canadian bank because the institution wasn’t thoroughly checking the cryptograms or counters on chip-card transactions.

“The [Canadian] bank in this case would take any old cryptogram and they weren’t checking that one-time code because they didn’t have it implemented correctly,” Litan explains. “If they saw an EMV transaction and didn’t see the code, they would just authorize the transaction.”

It’s basically like trying to sneak backstage at an event by wearing a VIP lanyard around your neck and hoping that no one actually looks to see if it’s genuine.

“It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it,” says Litan. “Doing EMV correctly is hard, and there are lots of ways to break not the cryptography but to mess with the implementation of EMV.”

MasterCard is apparently now in the process of reviewing the fraudulent transactions in the New England case to see if the merchants associated with these purchases have any actual records of these transactions.

While chip-enabled cards can add a level of security to transactions, it’s important for banks to not be lulled into a false sense that everything is okay.

Litan tells Krebs that setting up the systems for chip-based transactions is not simple for banks and processors, but that “A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly.”

“That’s the irony: We think EMV is going to solve all our card fraud problems,” says Litan, “but doing it correctly is going to take a lot longer than we thought.”