October 27, 2014

An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.

emvblueOver the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.

The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.

The most frustrating aspect of these unauthorized charges? They’re far harder for the bank to dispute. Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).

However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — even fraudulent charges disguised as these pseudo-chip transactions.

CLONED CHIP CARDS, OR CLONED TRANSACTIONS?

The bank I first heard from about this fraud — a small financial institution in New England — battled some $120,000 in fraudulent charges from Brazilian stores in less than two days beginning last week. The bank managed to block $80,000 of those fraudulent charges, but the bank’s processor, which approves incoming transactions when the bank’s core systems are offline, let through the other $40,000. All of the transactions were debit charges, and all came across MasterCard’s network looking to MasterCard like chip transactions without a PIN.

The fraud expert with the New England bank said the institution had decided against reissuing customer cards that were potentially compromised in the five-month breach at Home Depot, mainly because that would mean reissuing a sizable chunk of the bank’s overall card base and because the bank had until that point seen virtually no fraud on the accounts.

“We saw very low penetration rates on our Home Depot cards, so we didn’t do a mass reissue,” the expert said. “And then in one day we matched a month’s worth of fraud on those cards thanks to these charges from Brazil.”

A chip card. Image: First Data

A chip card. Image: First Data

The New England bank initially considered the possibility that the perpetrators had somehow figured out how to clone chip cards and had encoded the cards with their customers’ card data. In theory, however, it should not be possible to easily clone a chip card. Chip cards are synonymous with a standard called EMV (short for Europay, MasterCard and Visa), a global payment system that has already been adopted by every other G20 nation as a more secure alternative to cards that simply store account holder data on a card’s magnetic stripe. EMV cards contain a secure microchip that is designed to make the card very difficult and expensive to counterfeit.

In addition, there are several checks that banks can use to validate the authenticity of chip card transactions. The chip stores encrypted data about the cardholder account, as well as a “cryptogram” that allows banks to tell whether a card or transaction has been modified in any way. The chip also includes an internal counter mechanism that gets incremented with each sequential transaction, so that a duplicate counter value or one that skips ahead may indicate data copying or other fraud to the bank that issued the card.

And this is exactly what has bank fraud fighters scratching their heads: Why would the perpetrators go through all the trouble of taking plain old magnetic stripe cards stolen in the Home Depot breach (and ostensibly purchased in the cybercrime underground) and making those look like EMV transactions? Why wouldn’t the scammers do what fraudsters normally do with this data, which is simply to create counterfeit cards and use the phony cards to buy gift cards and other high-priced merchandise from big box retailers?

More importantly, how were these supposed EMV transactions on non-EMV cards being put through the Visa and MasterCard network as EMV transactions in the first place?

The New England bank said MasterCard initially insisted that the charges were made using physical chip-based cards, but the bank protested that it hadn’t yet issued its customers any chip cards. Furthermore, the bank’s processor hadn’t even yet been certified by MasterCard to handle chip card transactions, so why was MasterCard so sure that the phony transactions were chip-based?

EMV ‘REPLAY’ ATTACKS?

MasterCard did not respond to multiple requests to comment for this story. Visa also declined to comment on the record. But the New England bank told KrebsOnSecurity that in a conversation with MasterCard officials the credit card company said the most likely explanation was that fraudsters were pushing regular magnetic stripe transactions through the card network as EMV purchases using a technique known as a “replay” attack.

According to the bank, MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.

Avivah Litan, a fraud analyst with Gartner Inc., said banks in Canada saw the same EMV-spoofing attacks emanating from Brazil several months ago. One of the banks there suffered a fairly large loss, she said, because the bank wasn’t checking the cryptograms or counters on the EMV transactions.

“The [Canadian] bank in this case would take any old cryptogram and they weren’t checking that one-time code because they didn’t have it implemented correctly,” Litan said. “If they saw an EMV transaction and didn’t see the code, they would just authorize the transaction.”

Litan said the fraudsters likely knew that the Canadian bank wasn’t checking the cryptogram and that it wasn’t looking for the dynamic counter code.

“The bad guys knew that if they encoded these as EMV transactions, the banks would loosen other fraud detection controls,” Litan said. “It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it. Doing EMV correctly is hard, and there are lots of ways to break not the cryptography but to mess with the implementation of EMV.”

The thieves also seem to be messing with the transaction codes and other aspects of the EMV transaction stream. Litan said it’s likely that the perpetrators of this attack had their own payment terminals and were somehow able to manipulate the transaction fields in each charge.

“I remember when I went to Brazil a couple of years ago, their biggest problem was merchants were taking point-of-sale systems home, and then running stolen cards through them,” she said. “I’m sure they could rewire them to do whatever they wanted. That was the biggest issue at the time.”

The New England bank shared with this author a list of the fraudulent transactions pushed through by the scammers in Brazil. The bank said MasterCard is currently in the process of checking with the Brazilian merchants to see whether they had physical transactions that matched transactions shown on paper.

In the meantime, it appears that the largest share of those phony transactions were put through using a payment system called Payleven, a mobile payment service popular in Europe and Brazil that is similar in operation to Square. Most of the transactions were for escalating amounts — nearly doubling with each transaction — indicating the fraudsters were putting through debit charges to see how much money they could drain from the compromised accounts.

Litan said attacks like this one illustrate the importance of banks setting up EMV correctly. She noted that while the New England bank was able to flag the apparent EMV transactions as fraudulent in part because it hadn’t yet begun issuing EMV cards, the outcome might be different for a bank that had issued at least some chip cards.

“There’s going to be a lot of confusion when banks roll out EMV, and one thing I’ve learned from clients is how hard it is to implement properly,” Litan said. “A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly. They won’t expect the point-of-sale codes to be manipulated by fraudsters. That’s the irony: We think EMV is going to solve all our card fraud problems, but doing it correctly is going to take a lot longer than we thought. It’s not that easy.”


145 thoughts on “‘Replay’ Attacks Spoof Chip Card Charges

  1. jimmiedave

    Chip and PIN, Chip and PIN, Chip and G.D. PIN! What are they thinking, even _trying_ to do Chip and Signature!

      1. Vog Bedrog

        The signature appears on the card, so it’s vulnerable to being copied (you wouldn’t write your PIN on your card, would you?) And signatures are often poorly checked (or not checked at all) by merchants.

        1. Cliff

          Must admit I assumed they were using the PIN functionality, otherwise what’s the point? It’s like designing a slightly better damp paper cage to keep you tigers in.

        2. pboss

          “you wouldn’t write your PIN on your card, would you?”

          If I have to memorize a unique PIN for each card, I might. I don’t even know the PIN to any of my current cards. We have too many PINs and passwords to memorize nowadays.

          1. 1776

            Why more than a single card? Pick 1 bank card and that’s it. Those little free mugs and a few cents cash-back is not worth the hassle. I held a single card for years until all this fraud escalated. Now, I’m on cash/check.

            I don’t miss BoA’s crappy customer service.

            1. timeless

              1812.

              I have three active banks across (two share a name across the border), and a fourth bank in Europe.

              That would naturally be 4 debit cards. 3/4 have Chip and PIN. The fourth is swipe only (but, as it’s a debit card it needs a PIN).

              I can’t think of a single good reason to use the same password on all of my accounts. But I can think of a great Spaceballs (the Movie, not the lunch box) quote:
              «Dark Helmet: It worked, sir. We have the combination.
              President Skroob: Great. Now we can take every last breath of fresh air from planet Druidia. What’s the combination?
              Dark Helmet: 1 2 3 4 5.
              President Skroob: 1 2 3 4 5? That’s amazing! I’ve got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!
              Dark Helmet: Yes, sir!
              President Skroob: And change the combination on my luggage!»
              The key in the quote is the last line — President Skroob is sharing his password with someone else. Why would you do that? If someone does manage to steal one of your PINs, why would you want them to have the PIN for your other accounts?

              OK. So, we’ve established Debit cards.
              I’m currently traveling on business, which means I’m using my business credit card, it has a PIN. I don’t use it often, and who in their right mind would share their personal PIN with their employer?

              I also have two credit cards for each side of one border.

              I don’t know the PIN for at least three of the cards I’m carrying today — because I don’t use them regularly. In fact, it’s probably simpler to say that I’ve absolutely lost them. But it doesn’t matter, I only use the one debit card when I visit the issuing bank, and then I’m carrying my passport. (No, not “My name is my passport, verify me”.)

              To other two are Chip-free credit cards (I’m not even sure if they have PINs).

              This week, I also reset the PIN on my cellular account – a PIN I use less than once a year (autopay means that you never need to use it).

            2. peter

              Why more than one? Because if you have only one, and it’s declined, then you’re stuck. Don’t believe it – then ask the President. It happened to him and he was lucky that his wife was with him and her card worked.

              I typically carry two. And have others available (not in the wallet) if I’m traveling.

          2. beekermd03

            Too many PINS to remember, wahhhh.

            I don’t want to have to remember passwords either, wahhh.

            Life it too hard, wahhhhh.

            Go back to stuffing you money under your mattress, not using the internet, and watching your movies on betamax. Everything will be better than.

            1. jim

              To the previous commenter, start taking your meds. As you age you will start to see what I mean. Or be from one of the better employers of labor or the military. Other then the pampered princes. And check what I mean. But how big and secure do you want a password to be? How secure is your connection to the internet? You wrote something and didn’t encrypt! Now for your next business transaction, memorize your just changed password, take your favorite med, and go grocery shopping, not saying security vids are bad, but.. Take a look at the location of the camera. Not a security freak, but that’s one, and I’ve seen security video feeds online, and controllable by the internet? With zoom, and who are buying steaks, or bolo. See the pin?
              OK, now send grandma out, the mainstay of american sales, or the wife with kids. Make it harder to sell. Damn, your hard.

              1. beekermd03

                @Jim, I can see your point regarding an older generation having trouble remembering things.

                In that case, why not implement something to help you remember your passwords? For instance, they make great password apps nowadays.

                Keeper is a great example:
                https://keepersecurity.com/

                1. Robert.Walter

                  Or buy an iPhone. I cloud Keychain is built in. You can store a unique password for every site, your credit cards your cvc codes and pins. It’s encrypted and if you want you can tell it to auto fill your info into authentication pages for log in or online shopping.

                  1. jimmiedave

                    That way, your credentials will be as safe as Jennifer Lawrence’s photo album.

                    1. Robert.Walter

                      Trolls gotta…

                      Thanks for comparing oranges with Apple.

                    1. teej

                      Why is this relevant? If they have probable cause, the feds can compel you to hand over your data/passwords/encryption keys whether they’re in the cloud or otherwise.

                  2. Keyspace

                    Apple has a history of poor security in their products. I’d not consider using them to protect my financials anytime soon.

                    1. Robert.Walter

                      If you already have your CC on file wit Apple, then Apple’s not going to get any more data by you signing up for Apple Pay.

                  3. peter

                    If you put stuff in the Keychain in you iPhone and do NOT enable iCloud Keychain then the stuff stays local-only. And even the FBI Director has complained about not being able to get it.

                    But even better is to use Apple Pay for the cards and merchants that accept it. The card number and CVV never appear – the exchange between the phone-merchant-issuer uses a secure token issued by the bank. So a Target/HomeDepot attack just gets them a token and that’s useless for anything other than the original transaction.

                    1. Dave

                      @Teej and peter

                      Relevant because I’m not talking about agencies getting your information through due process. Or at least any kind of due process envisioned by the authors of the constitution.

                      The head of the FBI has may all kinds of claims about why they need to get around crypto including using cases that were fabricated or misrepresented – see
                      https://www.schneier.com/blog/archives/2014/10/more_crypto_war.html

                2. Jonathan E. Jaffe

                  As a card carrying member of AARP I take a humorous note of your memory slur you young whippersnapper!

                  In a more serious vein, KeeperSecurity is a fine service, but it itself becomes a security risk.

                  Consider not a better lock, but a conceptual shift removes the prize. What merchants don’t have crooks can’t steal. Confidential consumer credentials should not be exposed.

                  Jonathan @nc3mobi

                  1. JCitizen

                    I have a rather old idea to prevent replay and also authenticate, but the original data should be kept centrally from the merchants, the merchant only needs an authentication signal, but how to implement a true condition for that is not in my expertise, nor do I have any expertise for that matter.

                    Since many terminals now have signature panels on them using a stylus; why not make this stylus with a ball bearing and a pressure sensor to add complexity to the signature process, that could not be replicated by any poser, and could not be replayed, even by the card holder him/her self. This data stream would have to be protected, but even if it weren’t – replay would be impossible, and the signature could recognized almost as well as finger prints or retina scan! I’d like to think this would be a relatively cheap addition to the stylus as far as hardware and terminal add-ons – but I realize that is not necessarily the case. Something has got to give here?!

                    This is an old idea I saw in a science magazine in the 1970s. Here is another example:

                    http://www.wseas.us/e-library/conferences/izmir2004/papers/489-444.pdf

                    1. timeless

                      In general, anything that can be read and is read for transmission can be recorded and replayed for transmission.

                      In fact, one possible explanation for the attack in this article is a (record-and-)replay attack.

                      Brian has a number of articles about PIN pad recorders. And we have plenty of articles about compromised PoS terminals.

                      The fixes for these attacks are better intelligence — recognizing unusual patterns — like a large number of transactions from Brazil, and a large number of PIN transactions.

                    2. JCitizen

                      It is impossible for a human being to complete a hand written signature the same way every time – so the simple solution is rejection of any replay that perfectly matches, or does not meet the parameters of the individuals base characteristics – their are enough unique data points in a signature taken with such a stylus that only one individual in millions could even come close – tests done in the original projects in the ’70s proved this without a doubt.

                      Many people, like me, would chafe at having to present finger print ID, or less so on retinal scan, but both of those are theoretically capable of replay – a signature recorder such as this would be extremely difficult to defeat, as the chaotic intersection of the data points could not even be copied by an experienced forger. It would be like trying to predict where the sweet spot of a three axis five variable butterfly graph would possibly intersect; much as in the study of chaos theory.

            2. Rony

              You forgot to include the 8-Track music player in your nostalgic view of simpletons. lol

        3. Jason

          I have never been card verified for Chip & Signature (additionally, my card says “CHECK FOR ID!” in the signature strip before my signature). First of all, because the card is inserted in the terminal until the transaction is done, and second, no doubt because they “trust” the Chip is going to make them safe.

          1. Eric

            I do the same thing – My debit card says “CHECK ID” on the back. The fun part is watching which retailers actually check (now they have to ask me for ID in addition – so I know who’s checking). Even more fun is watching the clerk – when they take a cursory glance at the ID, just checking that the name matches, but nothing else. They never even look at my face, or the picture on the drivers’ license. Then they hand me my ID back, and as I put it back in my wallet, I casually say something like, ‘yeah well, it isn’t really me anyway…’, or ‘yeah, I had to shave off my beard to look like this guy.’ Then I take my merchandise and walk right out, leaving them wondering. Maybe it isn’t really fair to the average teenage clerk taking my debit card, but the ‘going through the motions’ mentality at almost every point of sale transaction just enables fraud.

            1. Terry

              I did something similar at a target store. After the purchase was complete I turned to a friend and said “damn your right it easy to use a stolen card”. Clerk freaked out. tried to chase me out the door.

              I came back in when he was done searching and talked to the store manager. His first response, which clerk. I refused to tell him. I told him he had a very lax fraud protection at the till and he needed to fix it or would shop somewhere else. Made no difference, most people only care for convenience till they suffer.

              I don’t know how to do it, but the ‘people’ need to understand the situation. Banks could require training before issuing a card, yeah right like that will happen.

              1. Pookie

                That got a good belly laugh from me. What a great way to embarrass the wife. 🙂

            2. Jason

              I had my credit union issue me an ATM-only card for my checking/savings account. This prevents two things: insider CC fraud, and also loss of wallet fraud. It also prevents me or my wife from using the card anywhere except as an ATM, which we only do at terminals for cash.

            3. pegr

              Well, that’s because you are breaking the rules too. According to the card brands, writing “Check ID” across the signature strip is meaningless. The merchant should ensure the card is signed. If not, they should refuse the sale.

              Also, it is against card brand rules to require the presentation of any form of ID to use a payment card. Any merchant who does so is in violation of their merchant agreement, regardless of what you scribbled on the back of your card.

              1. Ralph

                Just to clarify, based on what I have heard, including what you said here: ” it is against card brand rules to require the presentation of any form of ID to use a payment card.”, that reads to me like it is against the rules for THEM to require it, but if I require it, it is OK (now just getting them to comply with my requirements). I have had increased success lately with them asking me for id. Just don’t tell MC and Visa, I don’t want to get the good, security-conscious retailers in trouble.

                1. Swamp Yankee

                  First off, You cant require anything. Why? Because its NOT your card, its the banks card, the bank OWNS the card, its the banks property. I used to love when I worked retail and the machine came back and had ‘PICK UP’ on it, I would turn around with a pair of scissors and cut that card in half, right in front of the customer and watch their lower jaw hit the counter, and why was I able to do that, because the bank just told me to cut THEIR card in half, NOT the customers card.

                  1. Soy Tenley

                    I worked at a Diamond Shamrock gasoline station in 1983, and had to tell a customer who had already pumped gasoline that the card (Visa) was listed in the weekly booklet and I had to cut the card and send it in. He dug up some cash and paid for the gasoline. A couple of weeks later I got $50 because the card had been reported stolen.

                    At the time, regular leaded gasoline was selling for 92.9 cents a gallon. Unleaded was a nickel more expensive. Superunleaded was ten cents more expensive.

                    One country customer had a large gasoline tank installed in the bed of his pickup truck. It took 150 gallons to fill it.

              2. Soy Tenley

                The people at the registers at Fry’s in Austin, Texas, usually, but not always, ask me for an ID when I present a credit card, and I have never put “check ID” on any credit card.

                As an old friend would say, “I don’t give it no nevermind.”

            4. Fred

              I worked at Radio Shack while an undergrad, and even back then there were lots of smug, clever people who would put “CHECK FOR ID” into the signature space (but not sign the card). It was always funny to watch their smug little grins evaporate when I would not only check their photo ID, but also point to the printing on the back that said “CARD NOT VALID UNLESS SIGNED.” And yes, I would not accept their card unless they signed it and the signature matched the photo ID.

          2. Steve

            the whole “CHECK FOR ID” thing is not good for these reasons:
            1. It is invalid according to the terms of your credit card agreement, at least with VISA and Mastercard, and the vendor not only has the right, but the OBLIGATION to refuse your card since there is no signature. The flip side of this is that almost no one READS their merchant agreement, so has no idea this is the case.

            2. So you hand the a license, which they can, if they choose, scan the magnetic strip on, and at least get the license number that way. With the resolution on small cameras these days, if they pre-train a camera on a certain location where they set the license, they now have almost EVERYTHING they need to steal your identity. People leave their cellphones all over these days – do you notice if the sales clerk has theirs sitting on or near the register? Did they just set your license in the range of its camera? This is one reason I REFUSE to give my ID to merchanst that always ask for it, because they clearly don’t know that it opens their customer up to identity theft.

            This goes to the very heart of this article – while signature based verification sucks, doing it incorrectly can lead to additional,WORSE problems, just like doing the chip and pin wrong has lead to problems.

          3. joe dirt

            This article is saying that they probably just cloned the card. Writing on your card won’t stop these attacks in any way.

            1. dave

              Not quite.

              It says they used stolen card information and tampered payment systems to change the message format to claim it was a chip card.

              The issuers didn’t do the checking they should have that would have shown it to be a fake.

          4. Dave Gitlin

            @Jason, did you remember to tell the thieves who will clone your credit card to write “See I.D.!” on the signature strip? I’d say on 1% of transactions am I asked for I.D. & it isn’t skewed towards the large dollar amounts, Jason, please let me know how that goes…

        4. 1234

          You can learn to copy someones signature, given a little effort. But you can also get someones PIN by shoulder-surfing or more advanced ways. You can get both with the proverbial $5 wrench.

          Although that is irrelevant since my comment was merely a knee-jerk joke without much thought to reality. Using the name 1234 and asking if there is a difference between a signature and a PIN. I am sorry if anyone thought it was a serious contribution.

          1. jimmiedave

            Thing is, you’re describing how to commit fraud once. When sigs are allowed, there’s no check on running thousands of fraudulent transactions, because the assumption’s made that a human has checked each sig.

            With PINs, you have to be right each of those thousands of times. That’s hard, assuming your PIN mechanism is adequately protected (though I wouldn’t take bets on that adequacy, as I don’t know much about its implementation).

            We simply should not allow Chip-and-Sig.

            1. timeless

              Adequately protected?
              How?

              Do you tug at each and every PIN pad?
              Do you cover your hands each time you use a PIN pad?
              Do you wipe each and every PIN pad after you use it?
              Do you apply a heat mask to correct for Infrared disturbances caused by your fingers?

              * some of these can probably be solved by wearing gloves.

            2. Alphonse

              breached card data cannot be used as EMV transactions (regardless of PIN requirements)

              1. Dave

                Unless of course the Issuer isn’t checking the EMV message properly.

                … Seriously. Is there a face palm emoticon?

                1. Alex

                  Some payment providers/banks even ignore the CVV. You have to send it to them but they accept any value. Yes, really. I work with this stuff.

      2. LessThanObvious

        There is a difference. One that Jonathan E. Jaffe was able to help me quantify last time. I’m not convinced that chip-and-pin is an end all security solution. The likelihood of the liability shifting to the consumer with chip-and-pin scares me. Chip-and-signature with the consumer keeping the presumption of innocence seems to me, for the time being better.

        From his reply:
        Holly, you wrote: “You will always be protected by Reg E and evenVisa. Consumer liability is a non-issue as long as you notify your FI in a timely manner. ” I spent 9 years as a bank director (before the collapse!) and I’d agree about the protections … TODAY.
        Take a look under the May 2014 section of http://nc3.mobi/references/emv/ on what is happening in Europe under EMV. That page has lots of links, but here is the relevant text.
        Change in Presumption of Innocence
        An article in The Register (whose slogan is Biting the hand that feeds IT) is rather critical of chip-and-pin citing established weaknesses and some new ones referred to in the new paper Chip and Skim: cloning EMV cards with the pre-play attack from the Computer Laboratory, University of Cambridge, UK (16 page PDF) presented at the 2014 IEEE Symposium on Security and Privacy in San Jose, California 5/19/2014.
        In this paper paper it is worth looking at the change in what we call presumption of innocence as it describes the case of a Mr Gambin, “who was refused a refund for a series of transactions that were billed to his card and which HSBC [ his bank ] claimed must have been made with his card and PIN at an ATM in Palma, Majorca on the 29th June 2011. In such cases we advise the fraud victim to demand the transaction logs from the bank. In many cases the banks refuse, or even delete logs during the dispute process, leaving customers to argue about generalities.” [ The bank deleted the evidence that would have shown the fraud. highlighting ours, see right column page one of the 16 page PDF -ed]
        Axiom: Prevention is cheaper than cure.

        1. JCitizen

          Yep! Any news that besmirches this expensive boondoggle called “Cowchip-N-Pen” is music to my ears. It is TOO BIG TO FAIL – and I don’t want to pay for it! We will all be paying big money for old technology that is just going to put all the onus for losses on our heads!

        2. peter

          Agreed! Banks took a while to become sensitized to the fraud possibilities with chip+PIN but it has now set in. All the same, I still wonder why the U.S. is going with chip+signature. Most terminals have PIN pads already so that can’t be it. And many of the terminals need replacement anyhow because the existing ones don’t have chip readers.

          One theory is that the U.S. does not have the special ATMs that are needed for customers to change PINs (apparently the ones in Europe most have this ability).

        3. Dave

          A few points:

          * Liability shift is between the acquirer of the transaction and the merchant. The consumer is not involved. It is incentive to use better technology because the laggard eats the loss.
          * Do watch your banks (Issuer) to see if they try and hold you for losses. Normally in disputes credit is in your favor over debit. The incident you cite is an ABM transaction not a credit transaction. Different rules apply. Banks have always fought hard here. Nothing new. (Ross keep up the fight!)
          * Not to minimize EMV’s problems but Jonathan’s EMV page is a bit of a mismash. It could be much better organized and explained. For instance, you can’t easily know which papers are UK/EMV implementation problems vs. other EMV problems.
          * Jonathan is also using his comments here in part to push a mobile solution. Now, I have no idea if his solution is good or bad. But I will note that mobile has not had a stellar record for security. Problems are emerging rapidly. Design problems, implementation problems, there are few generally accepted standards, etc. Also, I will feel more confident in mobile when it has received similar levels of scrutiny and testing to other solutions.
          * Waiting for the next thing to replace EMV and eating the fraud isn’t really a viable option. With the rest of the world on it, fraud will come to the US big time.

          1. Alex

            There was a case in Europe where someones PIN was used to withdraw lots of money from an ATM but they hadn’t even opened the PIN envelope. IIRC that had to be settled in court. Just dumb.

    1. Sasparilla

      “What are they thinking, even _trying_ to do Chip and Signature!”

      But the big U.S. banks will save $5 a retail chip console if they don’t use PIN.

      The original plan for the U.S. by the banks was to do Chip and Signature only and skip the extra security of PIN (presumably because of some extra cost)…after everything that has happened over the last year…its amazing to see they haven’t altered their plans.

      1. brown

        PIN would have done nothing to prevent or limit any additional fraud over and above what chip and sig would have in any of the breaches since Target a year ago. PIN is only useful to prevent physical legitimate cards from being stolen and used. In none of these cases were cards physically stolen, just the data. Had EMV been in place the data would have been useless as it can’t be used to create counterfeit cards. In and Chip and Sig environment that only pieces of information that would be compromised would be card # and expiry date and iCVV/iCVC. iCVV/iCVC will only work in an EMV transaction so it is useless to the fraudsters. that leaves card # and expiry date. There are not many things you can do with just those 2 pieces of information. Maybe some card not present fraud.

      2. Dave

        $5 is huge but the larger question is are they being penny wise and pound foolish.

        A few years back I was working with a merchant who also issued their own cards. They decided with their wave/tap cards not to go with the dynamic element on the initial deployment because (I was told) it saved them $0.06 per card issued.

    2. Just My Opinion

      Jimmie, you did read the part where it said the bank hasn’t even issued chip cards yet, right? So the Chip & PIN vs. Chip & Signature question is moot.

      the ‘chip’ part of the tran was the illegitimate part…

    1. JD

      I’ve been shouting this since before Target. EMV has been touted as the silver bullet, and its not even close. Personally, I would rather see a requirement for end to end encryption of transactions – you would prevent the capture of card data, regardless of card / transaction type. But the problem remains for most (as it does at my company) no one is signing off on a solution that costs per translation.

      EMV is a paper tiger, so to speak.

      1. Terry

        End to end encryption has its weaknesses also, to do right requires that the encryption be hardware based before the processor. This creates numerous challenges for the card reader design (can be done). But, all fixed encryption can be broken. So two cost challenges: Replacing all current terminals; replacing all terminals on a fixed cycle in an attempt to stay ahead of the cypto curve.

      2. Alphonse

        EMV wipes out counterfeit fraud…the issuing banks that misconfigured can fix easily – they just need to update option sets on auth decision hierarchy. Fraud can still be attempted, and still needs to be managed. But Chip has shifted the paradigm.

      1. Frank

        In Brazil you do, to save the lives of your kidnapped family. Brazil is extremely violent, you can’t compare this country to the US where there is some form of working law.

    1. Lou Johnson

      I AGREE. INSIDE JOB. Fraud occured before the cards were issued? Must have a bunch of Russians and Chinese working for them!

      1. Jason

        Reading comprehension fail. The bank has no EMV cards issued at all. The mag strip cards’ data were used and faked as EMV transactions to bypass other security checks (like location).

        How about you read the article before you comment and not just skim?

  2. Mirit

    We’ve actually seen this attack about a month ago emanating from Indian fraudulent merchants.

  3. Andy Barratt

    This is another case of a bad implementation. If the issuer or processor doesn’t check the ARQC the cryptogram generated when doing an auth request they’ve let everyone down. They shouldn’t just flag EMV transactions as lower risk just because. They are lower risk because it is possible to verify them!

    This is liked to happen again in North America as there is a knee jerk rush to implement EMV rather than a phased multi year implementation that occurred in the UK. Which is a real shame because the US now has the ability to adopt all the bits that we know work properly and mis out on these kind of mistakes.

    1. Christoph

      Agreed. It´s no use implementing security measures like EMV when you don´t verify their use (i.e. check ARQCs).

      Likewise, why would any financial institution let so many transaction go into some sort of on-behalf processing? Either you authorize everything yourself or you outsource, but the for g0d´s sake do it properly.

  4. Alphonse

    iCVV implementation and verification is also key for Chip issuers, as are basic logic checks to decline activity that doesn’t make sense (Chip for non Chip issuers, invalid service codes, etc.)…these settings often get defaulted to ‘make the sale’, rather than secure the transaction.
    As noted by Brian and others for some time, EMV doesn’t exist in a vacuum, and strategies need to be adaptable and well thought out.

    1. JD

      You are absolutely correct, the fall back for most is to fall back to whatever makes the sale. Since retailers dont burden [much of] the cost for fraud, there is no incentive to not authorize a transaction. This is where EMV can flop just as big as magstripe. Most EMV cards are issued with a magstripe for backwards compatibility when a retailer doesnt support EMV, but even retailers that DO support EMV can choose to fall back to magstripe if there is a chip issue on the card – which means for fraud, all you have to do is rewrite the card data on to an emv card and break the chip, this will cause the retailers PIN device to see the chip is broken and fall back to using the magstripe in most cases. Retailers CAN refuse to fall back to magstripe, but why should they?

      1. Alphonse

        if properly configured, card data cannot be swapped between the mag stripe and a clone EMV chip (or vice versa). As for merchant behaviour, they can make a business decision, to not upgrade to chip (but will liable for the fraud). If they do upgrade, and a technical fallback occurs, the bank takes on the risk and can approve/decline based on risk and pattern analysis. if the bank approves a fallback to mag, it is liable. Fraudsters will quickly make certain segments unprofitable, and strategies will emerge to decline.

  5. Mary

    Someone I know told me not to “sign” my signiture on the back of my credit cards… they said instead of writing your signiture, write this… “SEE MY ID”… that way they will have to ask you for an ID. I am now incorporating this on all of my credit cards, and if they want to match my signature to a credit transaction, then they can ask to see my drivers license, which in my state is a requirement on our driver’s licenses.

    1. Greybeard

      Mary,

      There are several things wrong with the “CHECK ID” approach:
      1) using an unsigned card is committing fraud.
      2) a merchant who accepts an unsigned card is violating his/her merchant agreement, and will be liable for any fraud, so they should not accept the card without requiring you to sign it on the spot
      3) a signed card means that (at least for VISA and MC) a merchant MAY NOT require identification to use the card

      So…what are you actually doing by not signing the card? Someone who gets ahold of it can just sign it, and then say “No” if a merchant asks for identification. Better you should sign it and then they have to at least try to forge your signature…

      1. LouJohnson

        My signature has worn off all my cards. This forces the merchant to check my ID and I assume compare the signature on my DL to the credit card slip.

        1. Andrew

          Your signature on a merchant’s copy of a credit card receipt isn’t for identification purposes, it’s your agreement to pay the debt owed to the card issuer.

      2. Ralph

        I originally did what Mary did and was advised of my folly. I now sign my card AND put “PLEASE ASK FOR PICTURE ID” on it, and have been very successful.

        The two difficulties with this are 1. you have to sign and print small. 2. must remember to keep a picture ID with your credit card.

        1. JD

          Y’all must shop at some great merchants. I havent been asked to see the signature panel on my card in YEARS, and maybe 2-3 times a year will a merchant ask to see ID with a purchase.

      3. brad

        Greybeard and Mary
        Actually CHECK ID – is invalid. Per Mastercard and Visa, the back of the card has to be signed. However, they also state that poor clerk is only responsible for verifying the first and last initial as they aren’t “signature experts” – hence, banks lose on almost all signature transactions – signature totally unenforceable.

      4. Robert.Walter

        My family hasn’t signed a credit card in 30 years and uses credit cards, Amex, MC or Visa, exclusively for purchases; little cash and No debit.

        Never been rejected yet; this includes purchases in the thousands of dollars per transaction.

        Can’t wait to move more of our purchases thru Apple Pay (which btw would bury graybeards concerns.)

      5. Johneveryman

        You forgot one other security problem with the SEE ID approach

        You are showing your drivers license, and all the information it contains (full name, home address, date of birth, drivers license number) to people you don’t know and who are holding your credit card (with the name of your bank) in their hands.

        It’s a lot of data if they can capture it quickly enough.

      1. BrianKrebs Post author

        Hah! The fact that writing anything other than your signature on your card invalidates the card seems more of an urban legend, even if it is technically accurate to the letter of the contract you sign when signing up for a new card.

        I’d like to see a store associate or anyone else say you can’t use a card because it says check ID. I’ve had check ID on all my cards for more than a decade, and I’d say about half the time they actually do notice that and ask for ID. I always am courteous about it and thank them for asking.

        1. Eric

          I have had “SEE ID” on my cards for the last 15 years or so, and have never had any merchant balk at it.

        2. Johneveryman

          The US post office was the one merchant who followed the MC/VISA rules to the letter, and would not accept SEE ID cards unless they were run as a debit transaction.

          This is a practice I recommend against, because the type of fraud preventable by SEE ID is rare, but the response is to hand over your ID, with all the sensitive details contained on it, to someone you don’t know who has your bank card in your hand.

          Someday some clever criminal will figure out that this is a honeypot and will surreptitiously image from above/below and, voila:

          Bank name
          Card number
          Cvv (if card is flipped)
          Name
          Address
          Date if birth
          Drivers license number

          1. Alphonse

            Good point. It also does not prevent breached cards from being used with a fake ID. They would just need to not load the Track 1 data (to prevent the victim’s name from appearing on the receipt).

          2. Soy Tenley

            Never give your credit card and ID card to anyone wearing a Google Glass gadget.

            In the future, any pair of eyeglasses will be suspicious.

            And what about people who have replaced an eyeball with a glass eye? Camera and transmitter in their head ! Battery in glass eye recharged by putting ones head on a wireless charging pad.

        3. JD

          Check out page 29 of this PDF: http://www.axiapayments.com/wp-content/uploads/2011/12/27.pdf they state quite clearly that not having an authorized signature in the signature box makes the card invalid and the merchant liable for fraud in that case. The real story is that card present fraud is extremely rare and, understandably, not where CC companies want to focus their efforts.

    2. Nathan

      I have done this before in the past and can tell you it worked about 10% of the time. Most retailers just do not care enough or are not properly trained to check for the signature. Couple this with the fact that many retailers today don’t even touch the card you pay with, they just have the customer swipe the card themselves.

      1. Soy Tenley

        Retailers like WalMart, Target, HEB, and any store that has self-checkout.

    3. Jason

      Do both. Put “ASK FOR ID!” and sign the card. Then you’ll see how many even bother to look at the card. 95% of places I go to do not – it’s almost always the small mom-and-pop places that do.

      Worse, is if you have something like a Costco AMEX with a photo on the back. They just assume if the photo looks like you that it is all legit. Except that it’s not hard at all to remove the original photo and print a new photo on the card.

      1. Jeff

        The way to know if they even look at your card is to look at their face and see where their eyes are pointing.

        They could easily look at the card, see that is signed, see that you scrawled some gibberish of no legal significance on it, and hand it back to you without comment.

    4. Steve Sommers

      The signature panel on the back of cards combined with their no ID check rules are probably the stupidest thing the card brands hold onto. This is a holdover from the 50’s or earlier when banks verified your signature at the counter to make a withdrawal. The problem is the bank clerk also checked ID at the counter and the clerks had at least remedial training in verifying signatures. The average store clerk has no clue on how to verify a signature and most don’t bother to check in the first place. Sign the card, don’t sign the card, it doesn’t matter – someone steals your card and a PIN is not required, it’s going to be used and the clerk will get the charge-back.

  6. ID10T Error

    What merchants do to make the sale is entirely different than what their card agreement says. Many merchants do not require a signature for a purchase under X amount of dollars. In addition unless otherwise instructed, (NOT) cashiers understand the logic of “See My ID”. Most of the time they don’t care and never ask so it is a non-issue, but those who do, always look directly at me to verify the person standing in front of them is the same one as the picture on the ID. Furthermore, I use my drivers license as an ID and it has my signature on it for them to compare to how I sign the credit card slip. There is your 2 factor identification! As far as foreign transactions go, one of the alerts from my credit card issuer, (AMEX) is a foreign transaction alert, which I have enabled. I almost never use a debit card, but if I do, it is always processed as credit.

    1. Jason

      I’ve never had a merchant who asked to see my ID actually touch my ID. I hold my wallet while they look at it through the plastic. The failure here is that it’d be easy to fake a matching ID.

      I don’t ever let anyone other than law enforcement (as you don’t have a choice) touch my ID. I’ve seen them swipe ideas to scan the info off of them – no way, not your business to know all that info about me, and most likely use it in some promo/junkmail way, which in turn is ripe for getting hacked as well.

    2. Alphonse

      Check ID only applies for a true card being stolen. The vast majority of fraud on payment cards occurs from stealing track data and recoding onto another plastic (or in future other track carrying device). Fraudsters can also write Check ID and have it actually match with the counterfeited card they created.

  7. Eduard Literate

    An increasing number of the comments here prove the old adage “You Can’t Fix Stupid”.

  8. Lisa

    @Brian

    You’ve got a couple of problem typos in this quote:

    “I remember when I went to Brazil a couple of y ears ago, their biggest problem was merchants were taking point-of-sale systems home, and the running stolen cards through them,” she said. “I’m sure they could rewire them to do whatever they wanted. That was the biggest issue at the time.”

    As in all things human laziness is the downfall of any security measures.
    If a customer is too lazy to have a more secure method of remembering his/her PINS & instead writes them on the back of the card they might as well be sending out invites to the crooks. If a customer believes everything a “friend” tells them without doing their own research into it ie: NOT signing the back of their credit/debit card, again they’re just asking for trouble. And above all if a BANK is too lazy to properly implement a new security measure, they’re sending out invites to crooks to take advantage of their entire customer base.

    Diligence, Self-Advocacy & Responsibilty. Without these we have no one to blame but ourselves.

  9. Vandy

    It’s disturbing that the bank’s systems don’t check whether or not card number XYZ has an EMV chip, in case a merchant offers an EMV payment. Sounds like the programmers of the payment scripts made an error ID-10-T.

    IF EMV1 GOTO Payment_Failed

    1. Ralph

      The point-of -sale and other systems are actually all over the map. Some can’t tell whether your card is a debit or credit, while others can. The chip readers are different than the mag-stripe readers, not “swiped” but inserted. Just after I was first issued my chip card, I had a sales clerk tell me after I tried swiping it with the mag-stripe that I had to insert it in the “chip reader”. It had given some sort of error, so it seems the capability is there, whether the software is written to support that capability is another question.

      1. Jason

        What is interesting is that it is hit-or-miss regarding the swiped magstrip being denied at a Chip-reading sales terminal.

        At my local WalMart, the self-check will deny my AMEX with EMV on a swipe and requires an insert. But if I pay at a human-run counter like the sports desk for a fishing license, it will still allow the swipe, even though the terminal accepts a Chip insert. I’ve purchased items at the sports desk weekly continue to test this.

        1. Alphonse

          Try inserting it backwards (sometimes it takes a couple of times). The device will then tell you to swipe the Mag stripe. I tried this test at a Target unattended terminal and interestingly, it wouldn’t let me sign on the screen, I had to wait for an attendant to sign a paper copy. Added layer of security by the merchant to discourage fraudulent use of the technical fallback flow (criminals may still try it, but would definitely attract more ‘human’ attention if they repeatedly do this).

  10. Ross Anderson

    We’re written for some time about dishonest merchants misrepresenting mag-strip transactions as chip transactions, in order to get lower fees: see here and here, a write-up of a talk I gave at Financial Crypto earlier this year.

    1. Alphonse

      Thanks Ross, I have heard of the same thing happening for 3D Secure (VbyV and MC Securecode).

  11. Steve Sommers

    RE: “Doing EMV correctly is hard, and there are lots of ways to break not the cryptography but to mess with the implementation of EMV”, “…crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it” And “…one illustrate the importance of banks setting up EMV correctly.”

    This points out EMV greatest weakness: complexity. The sad part is that it didn’t have to be so complex. Anyone who analyzes the EMV specification and implementation guides will realize that at the core marketing features were as much a priority as card authentication – possibly more so. It’s the marketing features that greatly increases the complexity allowing for “bad implementation” vulnerabilities.

  12. Eric

    So the problem isn’t with the EMV itself, just that banks are lazy or incompetent and only implementing it halfway? How do these banks/merchants get certified to participate in the Visa/MC networks, then? Is the requirement for cryptochecking or validating transaction sequence numbers even part of PCI (the notorious ‘lowest common denominator’ of credit-card-handling security)?

    1. Brown

      Not lazy or incompetent just maximizing sales. The number of transactions that had invalid ARQC when EMV started rolling out was quite high. The main reason was the merchants/acquirers were not sending the data correctly and causing ARQC not to validate. There was no previous history of this type of fraud and therefore not worthwhile to decline invalid ARQC since it wasn’t mitigating any fraud.

  13. David Longenecker

    Brian,

    I understand how a replay attack would work to reuse EMV payment account information from a legitimate transaction for a future fraudulent transaction, and that by incrementing the transaction counter, the account could be reused until the cardholder tried to make another legitimate purchase, at which time the counters would no longer be in sync.

    This is different though – the payment account is not being replayed. What is the reason for a replay when using a different payment account altogether? What data are being replayed versus manipulated?

  14. Jonathan Rosenne

    Banks that did not issue EMV cards should adapt their authorization software to reject EMV transactions. Banks that issued some EMV cards and some magnetic cards (which is normal in the transition period) should check the CVV and the ATB, and not accept EMV transactions when the ATB (the first digit of the service code) indicates a magnetic card. The CVV protects against a fraudulent ATB.

    1. ID10T Error

      But wait! What about the FBI and the CIA?

      Sorry I couldn’t resist. I just love acronyms.

  15. Derrick Bretz

    This article makes my head hurt at the level of missing information that would clearly explain what happened here. Apologies as I did not review or edit this.

    Let’s review some scenarios… Skip to Scenario 3 if you want to see what I think likely happened

    Scenario 1

    1. MasterCard received EMV chip card transaction

    2. MasterCard forwarded the transaction to the bank’s issuer processor with the full EMV data and cryptogram.

    3. The bank’s core system was down, so the issuer processor performed stand-in authorization and approved the transaction.

    4. Bank issuer processors are responsible for transaction validation which includes PIN validation, CVV/CVC/CVV2/CVC2 validation, EMV Cryptogram Validation, expiration date validation, even to the point of transaction message validations, etc… Stand-in is no different except the issuer process doesn’t have access to the available balance on the account which is held on the core system so the issuer processor works with the bank to set offline limits.

    5. Bank’s issuer processor in stand-in should have performed the validation checks and if they passed and the transaction was below the offline limits the transaction would have been approved. Because the transaction was a full EMV transaction after the EMV data and cryptogram were validated, the bank’s issuer processor would have had to generate an approved response cryptogram as well to be sent back to the merchant terminal.

    Issues in Scenario 1

    A. MasterCard should not forward EMV data to card programs (BINs) that have not been certified or been flagged in production at MasterCard to receive it. Unless the card program was flagged then…

    B. Even if MasterCard forwarded the transaction with EMV data to the bank’s issuer processor, the issuer processor should have done the proper validation steps on the EMV data and cryptogram which were then not performed either in part or at all. Which one would hope that limits were being checked but I have no idea even if those were used to generate the blanket approval responses.

    Review of Scenario 1

    I find this scenario nearly implausible because the issuer processor that is not validation the EMV request cryptogram with an MDK is not going to then be creating a valid response cryptogram.

    If this is not the scenario that describes what occurred then the fraud has more to do with misconfigurations than with breakdowns in online EMV transaction security.

    Scenario 2

    1. MasterCard received EMV chip card transaction

    2. MasterCard performed on behalf of (OBO) services and did no validation of the cryptogram or EMV data and forwarded a down-graded/converted mag-stripe transaction to the bank’s issuer processor. The OBO settings could have been set by the bank, the issuer processor, or MasterCard.

    3. The bank’s core system was down, so the issuer processor performed stand-in authorization and approved the transaction.

    4. Same as Scenario 1, Bank issuer processors are responsible for transaction validation which includes PIN validation, CVV/CVC/CVV2/CVC2 validation, expiration date validation, even to the point of transaction message validations, etc… Stand-in is no different except the issuer process doesn’t have access to the available balance on the account which is held on the core system so the issuer processor works with the bank to set offline limits.

    5. Bank’s issuer processor in stand-in should have performed the validation checks and if they passed and the transaction was below the offline limits the transaction would have been approved. Because the transaction was a downgraded mag-stripe transaction. The issuer processor should have been prepared to handle values in fields to indicate the downgrade and validate those fields accordingly and when valid response with approval.

    6. MasterCard would take the approval from the issuer processor and convert the transaction back to an EMV approval response and generate the appropriate response cryptogram which MasterCard would need the original MDK that was used to create the UDKs placed on the chip card.

    Issues with Scenario 2

    A. MasterCard should/would not perform OBO services where it was not directed or configured to.

    B. MasterCard would need the MDK to resolve and validate the cryptogram and again to respond with the approval cryptogram.

    Review of Scenario 2

    Again, this scenario appears implausible. Settings would have had to be in place at MasterCard that were misconfigured or the issuer processor validation settings were misconfigured and failed to perform proper validation of the downgraded mag-stripe transaction. At the end of the day it boils down to misconfiguration.

    Scenario 3 – My Guess

    1. MasterCard received a mag-stripe transaction from a cloned card, from a terminal indicating the terminal was performing fallback, or said another way, the mag-stripe transaction was being manipulated to place values in fields to indicate fallback or that the card was chip enabled.

    2. MasterCard forwarded the mag-stipe transaction to the bank’s issuer processor with the manipulated or improper values.

    3. The bank’s core system was down, so the issuer processor performed stand-in authorization and approved the transaction.

    4. Same as the other scenarios, Bank issuer processors are responsible for transaction validation which includes PIN validation, CVV/CVC/CVV2/CVC2 validation, expiration date validation, even to the point of transaction message validations, etc… Stand-in is no different except the issuer process doesn’t have access to the available balance on the account which is held on the core system so the issuer processor works with the bank to set offline limits.

    5. Bank’s issuer processor in stand-in should have performed the validation checks and if they passed and the transaction was below the offline limits the transaction would have been approved. Because the transaction was a downgraded mag-stripe transaction. The issuer processor should have been prepared to handle values in fields to indicate the downgrade and validate those fields accordingly and when valid response with approval.

    6. MasterCard would take the approval from the issuer processor and forward the response to the merchant.

    Issues with Scenario 3

    A. MasterCard received improper but valid possible values for fields in a mag-stripe transaction and sent those to the bank’s issuer processor. Happens all the time.

    B. The bank’s issuer processor wasn’t configured to perform the proper validations as values indicating a chip transaction should not have been possible at that time. In the future if the bank were to implement EMV then those values would then be possible and at least not used to automatically decline the transaction outright.

    Review of Scenario 3

    IMO, this is the most likely scenario. The bank received a mag-stripe transaction that have some values indicating that the card was a chip card or a fallback or downgraded transaction that resulted in the issuer processor not performing any validation or failing to provide proper validation and only validating as a mag-stripe to then approve based on limits.

    Depending on the issuer processor to core system infrastructure and configurations, it is possible that the core system was expected to perform those validations and because it was down no validations were performed, however unlikely.

    Now, as to the confusion resulting from MasterCard initially insisted that the charges were made using physical chip-based cards. I would suspect this is the result of the bank trying to submit for a chargeback but the system and the chargeback staff at MasterCard looked at the field values in the transaction which indicated the card was a chip card. The chargeback system would not let the bank submit the chargeback and thus the confusion as the chargeback staff at MasterCard doesn’t know the bank never issued chip cards.

    Closing

    This is likely more standard mag-stripe counterfeit fraud with a new twist and has nothing to do with replay or the security of an EMV transaction. I doubt the fraudsters were even trying to trip up issuer processing systems and their validation criteria or processes.

    1. brown

      I can tell you for certain that these were not fallback transactions. They came in with a POS entry mode of 05. The data was manually keyed in though, there were no actual cards present. Many had invalid service codes and all had invalid ARQC. We lost about $1,000,000 over 2 weeks. We did not decline 100% of invalid ARQC because all those transactions were valid. The reason ARQC was invalid was due to the acquirers not sending the chip data or sending it in an incorrect fornat.. this was especially true early on when EMV first rolled out. It was more profitable to approve invalid ARQC than decline. This little scheme has changed tge game. We now decline 100% of transactions with invalid ARQC. Now we wait and see where the fraudsters go next.

      1. Alphonse

        ARQC was not valid. Only the issuer EMV keys can generate a valid one. The fraudsters did not have the issuer keys (they didn’t compromise the master key, or have the individual cards to get the keys used by the card). This was a case of lack of skills and weak fraud management culture (probably dominated by sales, with fraud as an annoying afterthought).

        1. brown

          Correct, as long as the issuer was checking and declining for invalid ARQC then they would have seen no fraud being approved. the problem was that prior to this attack over the last 4 years we have had a total of $0.00 in fraud on transactions where ARQC was invalid. Therefore we (and a few other issuers) were not declining all transactions with an invalid ARQC. It just wasn’t profitable to do so. Even with $1,000,000 in fraud recently, we have made a lot more revenue over the past 4 years approving invalid ARQC. Now the landscape has changed and the risk/reward is no longer worth it.

    2. Alphonse

      If EMV issuing bank had their keys properly loaded at Visa/MC then then ARQC would be checked and declined in this scenario.
      For the non EMV bank, they would lose whether the fraudster swiped stolen track data, or did this through a Chip terminal entry. Bottom line is that valid track data was used an authorized by the issuer. EMV would help them in future (but of course they need to configure properly).

  16. AreYouKiddingMe?

    I’m amazed at all the comments about merchants checking signatures. I use my chip & signature card on average 10+ times a week and rarely get asked for identification and have never had the signature on my card verified. Most of the terminals you sign on you can’t make it look like your normal signature even if you try.

    1. peter

      Traveling in Europe without a chip+PIN card has been a problem in the past but I must admit that my recent experiences in England and Germany with swipe-only cards have been positive.

      The most interesting thing is that everyone checked the signature. They checked it for EVERY transaction. I cannot remember the last time it was checked in the U.S. – it was too long ago.

  17. Derrick Bretz

    Did you censor my previous comment or just not moderate it yet?

    1. BrianKrebs Post author

      Derrick,

      I don’t censor comments. Occasionally, comments that are (like yours) extremely long will get automatically flagged by antispam filters.

      The fact that it took as long as it did for you to lay out your version of events (six points and multiple sub-parts) might explain why that view wasn’t expressed in the story.

  18. W. Vann Hall

    “Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards.”

    Since when? In my experience it is the retailer who eats the charge. I used to own a newspaper that accepted credit cards as payment for both subscriptions and advertising. Regularly, we would receive challenged payments, either because the buyer didn’t connect the business name (“Bold Type”) with that of the newspaper (“Spectator”) or, perhaps more commonly, because the buyer’s significant other questioned the charge. (A number of the ads we ran were ones you might not want to admit to your spouse or lover.)

    When we were lucky, the buyer would later return for a subsequent purchase, at which point we could reclaim the earlier loss. Otherwise, though, we had little recompense: Any challenged transaction was assumed to be fraudulent — even if the buyer’s signature matched that on the card and he or she presented a valid ID.

    (Obviously, this wouldn’t apply to ATM transactions.)

    On a related note, I spent much of the summer tending to my 91-year-old mother, who had somehow managed to descend a flight of stairs headfirst and on her back. I cooked, cleaned, and shopped for her while until she had mended enough to fend for herself. For two-and-a-half months, I used her credit card countless times: grocery stores, pharmacies, doctor’s offices, gas stations, restaurants, big box and convenience stores — you name it. Not only was it issued under an obviously female name, it was unsigned — and not once was it even questioned, let alone challenged. (Admittedly, once at Goodwill the sales clerk asked the person ahead of me in line for ID — and I suddenly decided to pay cash for my purchase.)

  19. Derrick Bretz

    I didn’t assume I just figured I would check. Thank you for the heads up.

    tl;dr of the comment: The fraud is probably the result of a misconfiguration by the issuer processor during validation and has nothing to do with Replay attacks or online EMV transaction processing.

  20. brown

    I don’t know about other issuers but we found no real correlation between this fraud and the Home Depot breach. We have not been able to pinpoint a common point of compromise.

  21. Mark in CA

    I have a Chase chip and signature card, which I use extensively in Europe. In the signature field on the back of the card I have clearly written Photo ID, and yet no one has ever asked me for ID. The merchants here are all accustomed to people entering PINs, and never think to check the back of the card. In fact, in most instances, the merchant never handles the card at all.

    1. brown

      Why should the merchant check ID? it is not their responsibility. As long as the merchant can provide a signed receipt (the association’s definition of signature is very loose) then they are not responsible for the fraud. Therefore they have no incentive to check signature, all they need is for someone to put a mark on the signature line, whether it matches the signature on the card or ID is moot.

    2. timeless

      Asking someone to check ID is essentially unreasonable.

      What kind of ID do you carry?

      I don’t have a driver’s license, but there are 50 states + DC + USVI, Guam, PR each of whom issue driver’s licenses. They also hopefully issue non-drivers-license photo IDs.

      There are *thousands* of colleges/universities in the US. Your average college student probably only has that ID. And they probably spend most of their time using a forged one that pretends that they’re >21.

      There are 10 provinces in Canada, plus 3 territories. As with the US, hopefully each has a Driver’s license and a Provincial Photo ID. Unlike the US, most if not all probably also have a Health Card with a photo. That Health Card may or may not be seen as a legitimate photo ID for ID purposes (it varies by province, although this may be mostly because older cards didn’t have photos, or it may be because you shouldn’t be giving out your health card, just as you shouldn’t be giving out your SSN/SIN card).

      Beyond that, there are 50 countries in Europe, which probably all issue National IDs, possibly driver licenses with photo id (or not), and perhaps other IDs. And it’s likely that schools have photo id cards too…

      There’s no way anyone can be an expert in all of these forms of ID.

      It’s bad enough for a clerk to be asked to identify 20+ different paper (cotton or plastic) bills as real/fake. (1, 2, 5, 10, 20, 50, 100, 500 – plus three or more different series with different security features.)

      1. Greybeard

        @timeless

        Good point. I have a NEXUS card, which is used to expedite border crossings, and as such is MUCH harder to get than a driver’s license. It also happens that my wife gave me a wallet with a plastic window for my DL, which is a pain to extract the card from. So when someone asks me for photo ID, I tend to hand them the NEXUS card.

        Almost invariably they look confused and/or uncomfortable until I say “Would you rather have my driver’s license?” This happened today when I went to vote (absentee): he had a list of approved IDs, and it wasn’t on it (or he didn’t know it was, anyway).

        So yeah, given how easy a fake license is to get (at least for some distant state), in most cases it’s trivial to fake the ID part as well (I suppose not for voting, since a non-local DL is unlikely to be acceptable, but for everything else!)

        Given the resistance to any kind of national ID card (and I’m not interested in discussing that issue–let’s just note that the current climate is such that it’s a non-starter), the whole “show some ID” question is a mess, and is only going to get worse. I know lots of people who carry passports just so they have some ID that’s going to be hard for anyone to argue with–but that assumes people know how to validate a passport! I’m sure a decent (but not great) fake US passport would fool most folks; a mediocre passport that claims to be from Canada would fool most of the rest.

        Retinal scans, yeah, that’s it… *sigh*

        1. timeless

          Voting is hilarious. I just finished filling out my ballot. Anyone who talks about the nonsense involved in IDs will point out the problem:

          My ballot doesn’t require an ID — it’s absentee, all you need to do is:
          1. Convince the state to issue an absentee ballot (this doesn’t involve physical presence)
          2. Intercept the ballot (postal crime in countries, but probably not needed since you control the destination in 1).
          3. Send your ballot by mail (I’m dropping mine off domestically — US Postage paid, but half the time it would require me to pay international postage) — the authentication is two pieces of information from 1. — neither of which involve a photo, nor an alive-test.

          This is where people expect pro-Republican fraud to be more common. Especially impersonation of senior citizens.

          1. JCitizen

            @timeless:

            You said,”people expect pro-Republican fraud”. That’s funny – from everything I’ve seen, in several states republicans led efforts to reduce fraud and prove citizenship ID?!

            1. teej

              @JCitizen

              You’re correct that it’s primarily Republican governors and legislators who are making noise about voter IDs. However, these Republican-led efforts (and other “voting reform” measures such as reducing hours that polls are open, restricting same-day voter registration, and preventing early voting) are primarily aimed at reducing voter turnout in minority and and youth demographics – demographics which, in recent history, have leaned heavily Democratic.

          2. Ralph

            You people make me sick. This is a forum about chip and pin and you have to blow it into a political debate? I have an opinion on this subject but will not express it here. You should be ashamed of yourselves for political grandstanding on a site where such important technical issues are being discussed!!!

      2. SeymourB

        Who needs to be an expert in checking IDs? Most thieves aren’t going to go through the expense of creating even a halfway legitimate ID for every identity they’ve stolen.

        If I hand you a piece of paper that looks like an otherwise genuine ID, aren’t you going to be a little suspicious? How about a piece of paper that’s been cheaply laminated, yet claims to be official government issued ID?

        Most of the IDs a clerk sees won’t be from people in other states, won’t be for people from other countries, they won’t even be for people with student IDs. They’ll be regular people with either a state-issued identification card or a state-issued driver’s license. Match up the photo on the ID with the person, match up the name on the ID with the name on the credit card. When you encounter something that looks suspicious simply flag down a manager and let them deal with it.

        I’ve been asked for ID plenty of times when checking out with a card. I don’t bitch, I don’t complain, in fact I usually thank the teller. And they’re not singling me out – they do it for every person who uses a card. It barely slows down the checkout process beyond the time it takes to pull out the ID, which is typically right next to their card anyway.

  22. Mary

    So now I understand why last week my “small New England” bank sent me a letter stating that they were reissuing all MC debit cards, and my current one would automatically deactivate early November.

  23. Steve

    Having worked in Europe for a long while, I have being using Chip cards since the early 90’s, and had very-very-very few issues with it, compared to the magnetic strip only US standard.
    In Norway, I was issued a CC with chip AND picture ID on the card: It was very easy for a clerk to check that I was the owner of the card.

    It’s only a matter of cost: As long as the banks and CC corp. will find that it is cheaper to deal with credit card fraud rather than using a more secure set of anti fraud measures, CC fraud will continue to flourish.
    *You*, the consumer, is the one ultimately paying for it.

    In the US, I use only one card, never sign the receipt with my “legal” signature, I have a big, bold “ASK FOR ID” on the back, as well as a fake pin written on the back. Still, I am 100% sure that the day will come where I will have to deal with my bank, or my credit score, over something that is ultimately the responsibility of my bank.

  24. Pookie

    So just to clarify (for those not in banking), regarding the cryptogram and counter – when you say ‘the bank’ wasn’t validating those parameters, it’s really the banking core system that isn’t doing those checks, correct? (i.e., fiserve, Jack Henry, FIS, etc.) Not that the cores are necessarily responsible, since they implement the controls the bank chooses… but it’s not the bank’s employees that configure these, ASAIK. Minor – but notable – difference, IMO.

    1. Brown

      I think it varies from bank to bank. Larger more sophisticated issuers would have full control over the authorization parameters. They may have a 3rd party processor like TSYS but the issuer makes all the decisions as far as what to decline and approve.

    2. Derrick Bretz

      In the typical bank and as a gross generalization…

      In order for a bank to offer card programs two separate processing systems, a core banking system and an EFT processing system.

      For a card payment, the core banking system is responsible for presenting the available balance for the linked DDA tied to the card. It is then responsible depending on the result of the transaction of impacting the balance.

      For a card payment, the EFT processing system is responsible for the heavy lifting. It maintains connections to the Visa/MasterCard/NYCE/Pulse/Star/Etc. networks of the world. It is responsible for performing transaction validation and authentication.
      1. Is the transaction properly formatted?
      2. Is the type of transaction support?
      3. Depending on the type of transaction, are the proper security controls validated?
      3a. For EMV this would include ATC counters, cryptogram validation, dCVV or iCVV
      3b. For mag-stripe this would include, track length and layout validations, CVV/CVC validation, AVS validation?
      4. If PIN were used, PIN authentication?
      5. Card status & expiration validation?
      6. Real time fraud blocking rules?
      7. Velocity limits validation?

      I am leaving stuff out but you get the idea. Only after all of the validations and authentications have passed is the transaction even sent over to the core system to see if the balance of the account has enough funds and then returns the results back to the networks.

      Again typically, banks will outsource their EFT processing systems to a third party and when they perform those functions above, they are referred in payments lingo as Issuer Processors. Many core systems providers are also issuer processors but even so bank’s may choose to go with a different issuer processor from their core system provider.

      An example would be a bank using one of the Fiserv’s core platforms while using Vantiv for Issuer Processing instead of Fiserv’s issuer processing.

      As to answering your question specifically, the bank is ultimately responsible for what they themselves or their vendor(s) are doing for validation. The vast majority of issuer processors will perform very similar if not the same validations as each other. It would be expected that if an EMV cryptogram was received that the issuer processor would validate it.

      Some issuer processors will let different validations be configurable to a degree or even optional where a bank could set or pay extra for better/more validation.

      1. brown

        Yes I agree that if the EMV cryptogram is received it should be validated but that doesn’t mean the issuer will decline the transaction. It depends on what the cost/benefit of declining a transaction is as well as what the issuer’s risk appetite is.

        Our bank has 6 different debit, credit and retail portfolios. We all use the same processor but each business has very different parameters in place. For example one portfolio will decline 100% of invalid cvc/cvv2 transactions. Another may only decline invalid cvc/cvv2 if the fraud score is above a certain threshold or within a specific group of MCCs.

        1. Derrick Bretz

          3 points…

          1. Any bank that is ignoring the validation results of the EMV cryptogram, dCVV, ATC, Etc. which all should have failed, not to mention the article references the card program was never setup for EMV and should have declined all the transactions for not even being a supported transaction type, I would love to see a cost/benefit analysis that would make this worth it on a card program level.

          2. As to fraud rules which aren’t quite the same thing as validations, it is completely reasonable to have different business rules taking in the context of the actual transaction like neural risk scores, mcc, location, velocity, etc. etc. etc. Transactions never should have gotten that far.

          3. The reason I even commented was to show that the fraud was the result of either poor configs or mis-configurations and truly has nothing to do with EMV. This fraud isn’t the result of an EMV replay attack and has nothing to do with EMV.

          1. brown

            As I stated earlier, we saw thousands of transactions each month that had invalid ARQC, none were fraud. For a while pretty much every transaction from Mexico came in with an invalid ARQC, also never turned out to be fraud, just bad data formatting from the acquirers. There was no benefit in declining these transactions over the past 4-5 years since we rolled out EMV. It mostly frustrated customers and flooded our call centers, so we stopped declining. It was profitable to do so for many years. it appears that that is no longer the case and we have begun to decline invalid ARQC.

            The same is true for invalid CVC2, it is pretty much always customers either keying CVC2 incorrectly or trying to guess it because they don’t know where their card is. Most fraudsters attempting CNP fraud will have a valid CVC2 anyway. An invalid CVC2 is a poor predictor of fraud. Therefore declining outright at the validation stage did not make sense for us and we let our fraud rules manage it instead of the all or nothing front end validation.

            I completely agree with point #3.

      2. darvinT

        Derrick Bretz said “It would be expected that if an EMV cryptogram was received that the issuer processor would validate it.”

        Do your expectations act as a control?

        1. Derrick Bretz

          I am not sure I understand your question?

          That comment references my understanding of what a typical bank would be doing and is based on my direct knowledge of the practices of most of the larger issuer processor in the US marketplace (FIS, Fiserv, JHA, CSI, Elan, Vantiv, TSYS, First Data, etc.)

          Visa and MasterCard also recommend that the cryptogram be validated and declined if it fails.

          Now, I understand that there can be issues caused by acquirers sending bad data, but those should get worked through in days or weeks and not ignored for months and years especially when it is something as serious as invalid cryptograms.

          1. brown

            Unfortunatly the associations have not been very keen on going after aquirers sending bad data.

  25. wesley chin

    why bother with broken credit card systems and banks. we have the blockchain technology and bitcoin payment network in 2014. stop trying to fix broken banking systems and centralized payment networks from the 1950’s.

Comments are closed.