Fraudsters Automating Fake EMV Chip Transactions

It’s not just retailers who are struggling with technical issues involved in the transition to EMV chip payment cards. Some card-issuing U.S. banks are said to be having trouble too — and cybercriminals are taking advantage by automating the process of turning stolen numbers from mag-stripe cards into fake EMV transactions, according to Krebs on Security.

The fake transactions use so-called “replay” attacks, which began surfacing last year using card accounts from the massive mid-2014 Home Depot breach where thieves typically have control of a payment terminal, and have the ability to manipulate data fields for transactions put through the terminal. After capturing traffic from a real EMV chip card transaction, the thieves can insert stolen card data into the transaction stream, while changing the merchant and acquirer bank account data on the fly.

But what about the dynamic security features built into EMV cards? These include a “cryptogram” checksum so banks can spot an altered card or transaction, as well as an internal counter that gives every transaction a sequential number, so duplicate or out-of-sequence numbers could flag phony transactions.

Apparently, banks that have been fooled by replay fraud simply aren’t using those antifraud capabilities — and at the same time, they’re reducing their fraud controls on EMV transactions, counting on EMV to be inherently more secure.

“The reason I think they bother to fake EMV transactions is that they know the EMV card-issuing banks relax their fraud controls on them and don’t have it implemented properly, and therefore they do not properly check the dynamic EMV data,” said Gartner fraud analyst Avivah Litan, who was quoted by Krebs on Security.

While that’s been going on for months, something new has recently been added, according to security reporter Brian Krebs. A cybercriminal is now selling a software-as-a-service package that automates all the necessary manipulation of mag-stripe card data to make it look like an EMV transaction.

And while the automated system, known as “Evolution,” still can’t deal with cryptograms or counters, the seller also offers to provide a list of U.S. financial institutions that haven’t correctly implemented systems for validating chip-card transactions.

“The good news is that USA is shifting to EMV,” the fraudster said in his sales pitch, adding that his software “works with static EMV security not with dynamic. Static means the [counter] remains the same every transaction. The thing to add is that I will provide [Bank Identification Numbers] from a lot of banks that use static, some of them that [have] been tested on it after purchase. Imagine how many banks using STATIC!”

Get our hottest stories delivered to your inbox.

Sign up for the Newsletter to get updates on top stories and viral hits.


New PYMNTS Report: Preventing Financial Crimes Playbook – July 2020

Call it the great tug-of-war. Fraudsters are teaming up to form elaborate rings that work in sync to launch account takeovers. Chris Tremont, EVP at Radius Bank, tells PYMNTS that financial institutions (FIs) can beat such highly organized fraudsters at their own game. In the July 2020 Preventing Financial Crimes Playbook, Tremont lays out how.

Recent Posts

Agora Services Debuts New Tools For SMB Banking

Challenger bank Agora Services wants to address challenges with banking for small businesses with a new solution called Agora SMB,…

2 hours ago

Google Almost Done With Transition To SAP Ariba Network

Google's transition to SAP Ariba's cloud-based services has a completion date set for Aug. 24 after multiple waves that began…

2 hours ago

Fed Moves Ahead With FedNow Despite Objections

Not everyone favors the Federal Reserve Board’s launch of its settlement service designed to eliminate the three-day check clearing and…

3 hours ago

Pelosi, Mnuchin Call For Reopening Stimulus Talks

Weeks of failed negotiations on pandemic-related aid has led to House Speaker Nancy Pelosi and Treasury Secretary Steve Mnuchin, representing…

3 hours ago

Bitcoin Daily: S. Korea To Use Blockchain To Collect Highway Tolls; Polish Financial Watchdog Warns Of Fake Crypto Scams

South Korean highways could see blockchain-based toll booths before the end of the year, according to a report from Crypto…

4 hours ago

CHAMPS Group Purchasing Works With Procurement Partners On Smoother P2P Services

CHAMPS Group Purchasing is partnering with Procurement Partners, which works in procure-to-pay (P2P) solutions, to provide a new service for…

4 hours ago