Chip-based cards targeted after Home Depot hack

Chip-based credit cards, promoted as a way to quell the rising tide of data breaches, are reportedly falling victim to fraud in the wake of the massive Home Depot hack.

Security researcher Brian Krebs first reported Monday that financial institutions had flagged tens of thousands of dollars of fraudulent chip-enabled credit and debit card transactions.

ADVERTISEMENT

The accounts compromised were “principally” those exposed during the Home Depot breach, which involved the credit and debit information of 56 million people who shopped at the chain earlier this year.

Chip-enabled cards authenticate purchases through an embedded cryptographic chip. Variations of the technology use a second type of authentication in the form of a signature or PIN number.

Retailers, banks, and the U.S. government have all committed to transitioning to the technology completely by October 2015, when those without chip-based capability will become liable for fraud.

President Obama also recently issued an executive order to move all government credit cards and retail terminals to the chip-and-PIN system quickly.

It "has proven to substantially reduce fraud,” said Allie Brandenburger, senior director of communications at the Retail Industry Leaders Association.

The feature is already standard in Europe, but American cards largely rely on the more vulnerable magnetic stripe.

“Chip-and-PIN cards is one important layer of protection needed to increase payments security," Brandenburger said.

Krebs reported that at least three U.S. financial institutions have noticed these fraudulent charges coming from Brazil over the last week. One even told Krebs it had seen “a month’s worth of fraud” in just a few days.

The banks said the charges were made to look like chip transactions without a PIN.

But those banks hadn’t yet issued any chip-based cards. So they pushed back when MasterCard initially told them the transactions were legitimate.

Other fraudulent charges were noticed on Visa cards. Both companies declined to comment.

The majority of the fake transactions reportedly came through a mobile payment service, an area of increasing focus for U.S. regulators.

— Updated at 7:20 p.m.