It’s not just retailers who are struggling with technical issues involved in the transition to EMV chip payment cards. Some card-issuing U.S. banks are said to be having trouble too — and cybercriminals are taking advantage by automating the process of turning stolen numbers from mag-stripe cards into fake EMV transactions, according to Krebs on Security.
The fake transactions use so-called “replay” attacks, which began surfacing last year using card accounts from the massive mid-2014 Home Depot breach where thieves typically have control of a payment terminal, and have the ability to manipulate data fields for transactions put through the terminal. After capturing traffic from a real EMV chip card transaction, the thieves can insert stolen card data into the transaction stream, while changing the merchant and acquirer bank account data on the fly.
But what about the dynamic security features built into EMV cards? These include a “cryptogram” checksum so banks can spot an altered card or transaction, as well as an internal counter that gives every transaction a sequential number, so duplicate or out-of-sequence numbers could flag phony transactions.
Apparently, banks that have been fooled by replay fraud simply aren’t using those antifraud capabilities — and at the same time, they’re reducing their fraud controls on EMV transactions, counting on EMV to be inherently more secure.
“The reason I think they bother to fake EMV transactions is that they know the EMV card-issuing banks relax their fraud controls on them and don’t have it implemented properly, and therefore they do not properly check the dynamic EMV data,” said Gartner fraud analyst Avivah Litan, who was quoted by Krebs on Security.
While that’s been going on for months, something new has recently been added, according to security reporter Brian Krebs. A cybercriminal is now selling a software-as-a-service package that automates all the necessary manipulation of mag-stripe card data to make it look like an EMV transaction.
And while the automated system, known as “Evolution,” still can’t deal with cryptograms or counters, the seller also offers to provide a list of U.S. financial institutions that haven’t correctly implemented systems for validating chip-card transactions.
“The good news is that USA is shifting to EMV,” the fraudster said in his sales pitch, adding that his software “works with static EMV security not with dynamic. Static means the [counter] remains the same every transaction. The thing to add is that I will provide [Bank Identification Numbers] from a lot of banks that use static, some of them that [have] been tested on it after purchase. Imagine how many banks using STATIC!”