Bugs lead banks to approve fake EMV transactions

Fake transactions from Brazil take advantage of implementation errors to approve what appear to be chip card purchases without the PIN. Hint to banks: It's "Chip AND PIN," not OR.

Investigative reporter Brian Krebs reports this morning on a series of fraudulent credit card transactions from Brazil which take an odd approach to abuse implementation bugs in bank support for EMV (EuroPay/MasterCard/Visa) cards, also known as "Chip and PIN."

EMV is a standard, long in use in Europe, for payment cards with embedded cryptoprocessors which, in combination with a numeric PIN code, cryptographically prove that the purchaser both possesses the card and knows the PIN. The system is designed to replace the conventional and familiar mag stripe cards that have proven all too-easy to abuse. EMV is just now being rolled out in the US but should be widely-deployed over the next couple of years, both for credit and debit cards, under mandates from MasterCard and Visa.

The really odd thing about this attack is that the cards that were used in the transactions were not EMV cards; the banks involved ("at least three U.S. financial institutions" according to Krebs) hadn't even begun issuing EMV cards. The transactions were submitted through Visa and MasterCard as EMV transactions without a PIN, and yet they were honored. The experts with whom Krebs spoke suspect that the thieves had control of a payment terminal and were able to manipulate fields in the transactions.

Most of the cards involved were ones compromised in  the recent Home Depot breach . Krebs spoke with a fraud expert at one of the banks involved. They had few enough cards breached at Home Depot that they didn't do a mass-reissue.

As Krebs says, but I think understates, there are many ways that the banks, processors, MasterCard and VISA could have determined that these transactions were fraudulent, but they didn't. One bank was not checking the validity of the cryptographic data. If a transaction was submitted without a PIN code they just honored it.

It's hard to have anything but contempt for such banks. Doing cryptography is, as Krebs says, hard. But EMV has been long-coming and credit/debit card fraud is hardly a new problem. From the description of events, it sounds as if little or no effort was put into implementing the system correctly. I also have to wonder how cards known to have been breached at Home Depot were still allowed to perform transactions, let alone from Brazil.

I can only hope that the people who take the hit for such fraud are the ones responsible for the lazy and naive decisions that led to it. It also just goes to prove the old truism that security is always a secondary consideration to keeping the business going at full-speed.