Oct. 27th, 2014

thewayne: (Cyranose)
A bank in New England got took for $120,000 in fraudulent C&P charges emanating from Brazil. The issue? The bank haven't issued any C&P cards yet.

One part of C&P is a built-in counter that is part of the transaction data stream. If your bank receives a second transaction with the same counter number, you know it's fraudulent. But since it's not implemented, it's largely ignored. Apparently some criminals in Brazil bought a bunch of Home Depot stolen cards, got ahold of a credit card terminal, and manipulated the data stream to cram the cards through. The bank recovered about $80k of the stolen money and is trying to get the rest back. Meanwhile, Mastercard is saying that they're responsible for the remainder.

After the Home Depot theft, the bank decided not to re-issue potentially compromised cards as they represented a fairly large portion of their customer base. I would guess that they're reconsidering that right now.

There's no doubt that C&P will greatly reduce fraud, but it's not easy to implement, so chances are that we'll see as much and maybe more as it begins to be rolled out next year. In the case of this New England bank, an upstream provider authorized the charges when the bank's systems were offline and couldn't directly authenticate the transactions.

http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/


ETA: Bruce Schneier wrote about C&P attacks a while back, it's called a Pre-Play Attack.
https://www.schneier.com/blog/archives/2014/05/preplay_attack_.html

October 2025

S M T W T F S
    123 4
567891011
12131415161718
19202122232425
262728293031 

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Oct. 5th, 2025 06:01 pm
Powered by Dreamwidth Studios