<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Dec 7, 2014 at 12:14 AM, Henry Baker <span dir="ltr"><<a href="mailto:hbaker1@pipeline.com" target="_blank">hbaker1@pipeline.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">At 11:29 PM 12/5/2014, Henry Baker wrote:<br>
>I just read that the new US chip&pin system has already been hacked, and it isn't even in real service here yet!<br>
<br>
</span>I finally found the article:<br>
<br>
<a href="http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/" target="_blank">http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/</a><br>
<br>
Krebs on Security In-depth security news and investigation<br>
<br>
27 Oct 14<br>
<br>
‘Replay’ Attacks Spoof Chip Card Charges<br>
<br>
An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.<br>
<br>
Over the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.<br>
<br>
The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.<br></blockquote><div><br></div><div>Yes, yet another attack against the legacy support for magstripe cards in C&P. </div><div><br></div><div>The US banks only have themselves to blame here. It certainly isn't a merchant issue.</div><div><br></div><div>Relying on password security for financial transactions is stupid. Printing the password on the front of the card is triple stupid with a side order of negligence.</div><div> </div></div>The reason these attacks are taking place is the creaky financial services network infrastructure. The US banks are so far behind their authorization systems can't even reject the transactions as presenting an unknown authorization system.</div><div class="gmail_extra"><br></div><div class="gmail_extra">This is not a situation that Target or Home Depot have any ability to control. The solution is 100% in the banks court. They have access to the technology, they bear the loss, they should either eat it or pay to deploy technology that would eliminate the fraud channel.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div></div>