Online web came without credit card registration
According to the bank, Master Card officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal.
After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.
Litan said attacks like this one illustrate the importance of banks setting up EMV correctly.
“I’m sure they could rewire them to do whatever they wanted.
That was the biggest issue at the time.” The New England bank shared with this author a list of the fraudulent transactions pushed through by the scammers in Brazil.
The fraud expert with the New England bank said the institution had decided against reissuing customer cards that were potentially compromised in the five-month breach at Home Depot, mainly because that would mean reissuing a sizable chunk of the bank’s overall card base and because the bank had until that point seen virtually no fraud on the accounts.
“We saw very low penetration rates on our Home Depot cards, so we didn’t do a mass reissue,” the expert said.
Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and Master Card, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).