A concerning pattern of credit- and debit-card fraud from Brazil is targeting US financial institutions, with big implications for banks implementing the smart-card approach to card security known as EMV, or chip-and-PIN.
Independent security researcher Brian Krebs found that over the past week, at least three banks reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from the South American country, hitting card accounts stolen in recent retail heists. This includes those involved in the Home Depot breach. But what’s curious is that the transactions come across as being chip-enabled transactions.
“The bank I first heard from about this fraud — a small financial institution in New England — battled some $120,000 in fraudulent charges from Brazilian stores in less than two days beginning last week,” Krebs said. “All of the transactions were debit charges, and all came across MasterCard’s network looking to MasterCard like chip transactions without a PIN.”
Second-hand MasterCard sources said that it’s likely that the criminals are using a technique known as a “replay” attack, Krebs explained.
“The thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal,” he said. “After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.”
This isn’t the first example of the approach: Canadian banks saw the same EMV-spoofing attacks emanating from Brazil several months ago.
The attack plays on the conventional wisdom that EMV transactions are, by definition, more secure, hoping that the banks would loosen other fraud detection controls for chip-based transactions. And that has played out: In the Canadian case, Krebs reported that one bank suffered a large loss because it wasn’t checking the cryptograms or counters on the faux EMV transactions, and just rubber-stamped the authorizations.
To effect the replay attack, the hackers appear to be exploiting a flaw in the implementation of the EMV protocol. Luther Martin, chief security architect at Voltage Security, told Infosecurity in an email that the situation points out the difficulty in correctly implementing encryption.
“It was a flaw in the implementation of cryptography that was apparently exploited by hackers, not the cryptography itself,” he noted. “Cryptography can provide essentially unbreakable security for sensitive information, but it’s very hard to implement correctly. Even a fairly simple flaw in an otherwise-secure implementation can provide hackers all that they need to exploit a system.”
The situation clearly demonstrates that EMV is not proof against all payment fraud, so payments stakeholders need to maintain their vigilance. Aside from maintaining stringent fraud controls, Martin added that the failure to protect all stored payment information can still expose large databases of sensitive payments information to hackers who can then exploit the information through card-not-present transactions.
“While [EMV] may reduce card-present fraud by a considerable amount, EMV is not a ‘silver bullet’ that will eliminate all payment fraud,” Martin explained. “In particular, it doesn’t really address card-not-present fraud. And because card-not-present transactions are a significant and increasing fraction of all payments, the types of vulnerabilities like the one apparently exploited by hackers will probably continue to exist well into the future.”