A New England Bank’s Flawed Early Implementation of Chip Cards Allowed Unauthorized Charges

Data Breach Response

A series of unauthorized fraudulent EMV charges from Brazil baffled a small bank from New England recently. The bank is one of many that are starting to roll out the new EMV (chip-based) cards.

The problem with this particular fraud is that the bank has not yet started sending its customers the new chip cards. It, however started implementing the system already. The criminals must have been aware of this fact and used it to their advantage. Because implementing the EMV payment system is a rather lengthy and exceedingly difficult process, the bank’s security measures were lowered for all incoming chip transactions.

According to Brian Krebs, the bank sort of treated all EMV transactions as valid and didn’t (more like couldn’t) verify all security factors, because the system was not fully in place yet. This is why these charges were able to get through as chip transactions without a PIN. The bank approved about $40,000 of the total $120,000. The approved transactions were let through by the bank’s automated processor, which is used for approvals when the bank’s core systems are offline.

The cards these fraudsters used were actually from the Home Depot breach. The New England bank said it didn’t reissue all the cards from the Home Depot breach, because they were not seeing a lot of fraudulent charges and didn’t deem it necessary. These charges from Brazil, however beat their monthly fraud levels in just a few days.

The credit card companies involved will be investigating whether the vendors who own the terminals these charges originated from are involved in the fraud.