Brazilian thieves stole €1.5 million from MasterCards equipped with EMV security technology. The attack took place on August 27th and affected 2,000 customers of Oldenburgische Landesbank (OLB), a German bank. OLB released a statement stating it refunded all victims in full.
OLB blamed the attack on organized cybercrime professionals operating “counterfeit cards and terminals”. The bank claims no security breach of its systems occurred.
In a statement, MasterCard played down consumer fears the attack showed an inherent flaw in the EMV system. Rather, it appears the attackers followed an increasing trend of cloning the magnetic strip of legitiate EMV enabled cards.
“We can confirm that neither Mastercard’s network or the EMV technology were compromised,” a spokesperson for Mastercard told ZDNet. “Nor has any account or card data been hacked either at Mastercard, OLB or at a third party. This issue derived from a scam involving organized cybercrime using counterfeit cards and terminals.”
Sophisticated attacks increasingly compromise EMV magnetic strips by hijacking ATM and point of sale infrastructure. Once a terminal is successfully infiltrated, it can feed cyber thieves information about anyone who uses that terminal until the vulnerability is discovered. In some cases, criminals can even manage to steal funds from the card without having the PIN number attached to it.
Unfortunately, this type of attack is one of the most common eCommerce fraud trends of 2019. There is little doubt that it will continue through into the new year and beyond. There is little customers can do to protect themselves in real-time, since the card sniffing devices that make make the scam possible show no signs of tampering during use. Unlike online card skimming attacks, the lack of any true footprint until it is too late remains problematic for prevention across the banking industry.
Overall, the best defense remains closely monitoring credit card statements for any signs of unusual or fraudulent activity.
Sources:
https://www.zdnet.com/article/german-bank-loses-eur1-5-million-in-mysterious-cashout-of-emv-cards/