Newsroom

October 27, 2014

Fake 'EMV' charges fueled by Home Depot breach

At least three U.S. financial institutions within the past week have reported tens of thousands of dollars in fraudulent credit and debit card charges that came through Visa and MasterCard's networks as chip-enabled transactions, KrebsOnSecurity reported Monday.

The banks caught onto the charges because they have yet to issue chip-enabled, or EMV, debit and credit cards to their customers. Krebs reported that the transactions were coming from Brazil and hitting many card accounts that were stolen recently in the Home Depot data breach.

One of the banks involved in this latest fraud told Krebs that based on a conversation with MasterCard officials, the most likely explanation for the how the fraud occurred was a technique called "replay" attack, where fraudsters push regular magnetic-strip card transactions through the card network as EMV purchases.

The article says while financial institutions often eat the costs of fraud, they can occasionally recover some of their costs through channels provided by Visa and MasterCard if they can prove the fraud occurred at a specific merchant. "However, banks are responsible for all the fraud costs that occur from any fraudulent use of their customers' chip-enabled cards – even fraudulent charges disguised as these pseudo-chip transactions," Krebs noted.

Avivah Litan, a fraud analyst with Gartner Inc., quoted by Krebs, noted that this is one example of the kind of fraud that can occur if financial institutions do not set up EMV correctly. "A lot of banks will loosen other fraud controls right away, even before they verify that they've got EMV implemented correctly," she said in the article. "They won't expect the point-of-sale codes to be manipulated by fraudsters. That's the irony: We think EMV is going to solve all our card fraud problems, but doing it correctly is going to take a lot longer than we thought. It's not that easy."

Card issuers are required to adopt EMV technology by Oct. 1, 2015.

NAFCU continues to seek legislative action to ensure all market participants bear their share of responsibility for data breaches. It was the first financial trade association to call for a national data security standard for retailers after last year's Target breach. NAFCU is pushing Congress to establish a bipartisan working group to develop legislative recommendations to address ongoing retailer breaches.