![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
A bank in New England got took for $120,000 in fraudulent C&P charges emanating from Brazil. The issue? The bank haven't issued any C&P cards yet.
One part of C&P is a built-in counter that is part of the transaction data stream. If your bank receives a second transaction with the same counter number, you know it's fraudulent. But since it's not implemented, it's largely ignored. Apparently some criminals in Brazil bought a bunch of Home Depot stolen cards, got ahold of a credit card terminal, and manipulated the data stream to cram the cards through. The bank recovered about $80k of the stolen money and is trying to get the rest back. Meanwhile, Mastercard is saying that they're responsible for the remainder.
After the Home Depot theft, the bank decided not to re-issue potentially compromised cards as they represented a fairly large portion of their customer base. I would guess that they're reconsidering that right now.
There's no doubt that C&P will greatly reduce fraud, but it's not easy to implement, so chances are that we'll see as much and maybe more as it begins to be rolled out next year. In the case of this New England bank, an upstream provider authorized the charges when the bank's systems were offline and couldn't directly authenticate the transactions.
http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/
ETA: Bruce Schneier wrote about C&P attacks a while back, it's called a Pre-Play Attack.
https://www.schneier.com/blog/archives/2014/05/preplay_attack_.html
One part of C&P is a built-in counter that is part of the transaction data stream. If your bank receives a second transaction with the same counter number, you know it's fraudulent. But since it's not implemented, it's largely ignored. Apparently some criminals in Brazil bought a bunch of Home Depot stolen cards, got ahold of a credit card terminal, and manipulated the data stream to cram the cards through. The bank recovered about $80k of the stolen money and is trying to get the rest back. Meanwhile, Mastercard is saying that they're responsible for the remainder.
After the Home Depot theft, the bank decided not to re-issue potentially compromised cards as they represented a fairly large portion of their customer base. I would guess that they're reconsidering that right now.
There's no doubt that C&P will greatly reduce fraud, but it's not easy to implement, so chances are that we'll see as much and maybe more as it begins to be rolled out next year. In the case of this New England bank, an upstream provider authorized the charges when the bank's systems were offline and couldn't directly authenticate the transactions.
http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/
ETA: Bruce Schneier wrote about C&P attacks a while back, it's called a Pre-Play Attack.
https://www.schneier.com/blog/archives/2014/05/preplay_attack_.html
