MERRIFIELD, Va. (10/29/14)--Cyberthieves appear to have routed fraudulent transactions through Brazil as part of the breach at Home Depot. However, in an odd twist, the transactions were submitted through Visa and MasterCard's networks as chip-enabled transactions--but the banks that issued the cards in question have not yet issued EMV cards, according to information security expert Brian Krebs.
Such charges are far more difficult for financial institutions to dispute, Krebs said. Financial institutions usually absorb the cost of fraud from unauthorized transactions made with counterfeit and stolen credit cards. Even so, a credit union or bank may be able to recover some of those losses through the Visa and MasterCard dispute process, as long as the financial institution can show that the fraud was the result of a breach at a specific merchant.
However, financial institutions are responsible for all of the fraud costs that occur from any fraudulent use of their customers' chip-enabled credit/debit cards--even fraudulent charges disguised as pseudo-chip transactions such as the ones in question, Krebs said.
One of the banks involved in the Brazil incident, described by Krebs as a small financial institution in New England, faced roughly $120,000 in fraudulent charges from Brazilian stores in less than two days. The bank blocked $80,000 of those fraudulent charges, but its processor, which approves incoming transactions when the bank's core systems are offline, let through the other $40,000. All of the transactions were debit charges, and all came across MasterCard's network looking to MasterCard like chip transactions without a PIN.
The New England bank initially decided against reissuing customer cards that were potentially compromised in the five-month breach at Home Depot, mainly because that would mean reissuing a sizable chunk of the bank's overall card base and because the bank had, until that point, seen virtually no fraud on the accounts, according to Krebs.
Then, in one day it received an amount equal to a month's worth of fraud charges as a result of the charges from Brazil, the bank's security officer told Krebs.
In theory, it should not be possible to easily clone a chip card, Krebs said. EMV cards contain a secure microchip that is designed to make the card very difficult and expensive to counterfeit.
Also, chips store encrypted data about the cardholder account, as well as a "cryptogram" that allows the financial institution to tell whether a card or transaction has been modified in any way. The chip also includes an internal counter mechanism that is incremented with each sequential transaction, so that a duplicate counter value or one that skips ahead may indicate data copying or other fraud to the financial institution that issued the card.
Security experts, including Krebs, are confused as to why perpetrators go through the trouble of taking plain old magnetic stripe cards stolen in the Home Depot breach and spoofing EMV transactions. Why wouldn't the scammers do what fraudsters normally do with this data, which is simply to create counterfeit cards and use the phony cards to buy gift cards and other high-priced merchandise from big box retailers?
More importantly, how were these supposed EMV transactions on non-EMV cards being put through the Visa and MasterCard network as EMV transactions in the first place?
MasterCard initially insisted that the charges were made using physical chip-based cards, but the New England bank protested that it hadn't yet issued its customers any chip cards. The bank's processor had not yet been certified by MasterCard to handle chip card transactions.
According to the bank, MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.