[Cryptography] cost-watch - the cost of the Target breach

Phillip Hallam-Baker phill at hallambaker.com
Sun Dec 7 08:31:11 EST 2014 

On Sun, Dec 7, 2014 at 12:14 AM, Henry Baker <hbaker1 at pipeline.com> wrote:

> At 11:29 PM 12/5/2014, Henry Baker wrote:
> >I just read that the new US chip&pin system has already been hacked, and
> it isn't even in real service here yet!
>
> I finally found the article:
>
> http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/
>
> Krebs on Security In-depth security news and investigation
>
> 27 Oct 14
>
> ‘Replay’ Attacks Spoof Chip Card Charges
>
> An odd new pattern of credit card fraud emanating from Brazil and
> targeting U.S. financial institutions could spell costly trouble for banks
> that are just beginning to issue customers more secure chip-based credit
> and debit cards.
>
> Over the past week, at least three U.S. financial institutions reported
> receiving tens of thousands of dollars in fraudulent credit and debit card
> transactions coming from Brazil and hitting card accounts stolen in recent
> retail heists, principally cards compromised as part of the breach at Home
> Depot.
>
> The most puzzling aspect of these unauthorized charges?  They were all
> submitted through Visa and MasterCard‘s networks as chip-enabled
> transactions, even though the banks that issued the cards in question
> haven’t even yet begun sending customers chip-enabled cards.
>

Yes, yet another attack against the legacy support for magstripe cards in
C&P.

The US banks only have themselves to blame here. It certainly isn't a
merchant issue.

Relying on password security for financial transactions is stupid. Printing
the password on the front of the card is triple stupid with a side order of
negligence.

The reason these attacks are taking place is the creaky financial services
network infrastructure. The US banks are so far behind their authorization
systems can't even reject the transactions as presenting an unknown
authorization system.

This is not a situation that Target or Home Depot have any ability to
control. The solution is 100% in the banks court. They have access to the
technology, they bear the loss, they should either eat it or pay to deploy
technology that would eliminate the fraud channel.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141207/a7ee94c7/attachment.html>

More information about the cryptography mailing list