Criminals have stolen more than €1.5 million ($1.65 million) from a German bank by cloning customer debit cards and then cashing out user funds across Brazil, despite the original cards being protected by EMV (chip-and-PIN) technology.
The thefts happened last week and involved the customers of German bank Oldenburgische Landesbank (OLB).
The incident caught the eye of several cyber-security experts who noted the peculiarities of the thefts, which only involved Mastercard debit cards issued by OLB.
OLB: No security breach
In a statement released following the incident, on Friday, August 27, the German bank said that only 2,000 customers were impacted, and that they already refunded all affected customers.
The bank also moved in to block all Mastercard debit cards following the attack, and is now in the process of issuing replacements.
OLB said the thefts were the result of “organized cybercrime involving counterfeit cards and terminals” and denied rumors swirling in German media that it suffered a security breach.
OLB did not return an email or phone call from ZDNet seeking additional comments about the incident.
Brazil — a hotspot of EMV cloning
The hacks have left many German customers wondering how was it possible for the criminal group to clone EMV-based cards since chip-and-PIN technology was advertised as a way to stop such attacks.
But in reality, such attacks are possible and have been happening for a few years. The fact that they happened in Brazil, is also no surprise as the country’s local cybercriminal gangs have a reputation of being able to clone EMV cards, according to a Kaspersky report from 2018, when such attacks have started to increase in frequency and sophistication.
Manuel Pintag, a cybersecurity analyst and banking fraud expert for Telefonica, told ZDNet that Brazil and Mexico are “the largest EMV card cloning laboratories.”
Local criminals often advertise tools to aid in the creation of fully functional clones for EMV cards.
To clone a modern chip-and-PIN card, Pintag told ZDNet that all criminals need is a copy of a legitimate EMV card’s magnetic strip.
To obtain such information, criminals often rely on card sniffing devices installed on ATMs or POS terminals, which are also suspected as the primary sources for the debit cards used in the recent OLB incident.
As Kaspersky pointed out in its 2018 report, a valid PIN isn’t always even needed, with some cloned cards working with any random PIN entered in a POS or ATM terminal.
In a statement sent to ZDNet, Mastercard said it is still investigating the incident, but the payments processor was able to shoot down some rumors.
“We can confirm that neither Mastercard’s network or the EMV technology were compromised,” a Mastercard spokesperson said. “Nor has any account or card data been hacked either at Mastercard, OLB or at a third party. This issue derived from a scam involving organized cybercrime using counterfeit cards and terminals.”
For the past few years, detecting withdrawals from cloned EMV cards has been a problem for banks around the world.
As Pintag told ZDNet, the easiest way is to monitor for the location and time of financial transactions. Often, fraudulent transactions are mixed with legitimate ones, in two countries at the same time, which Pintag said is a good indicator that card fraud is happening.
Article updated 15 minutes after publication with statement from Mastercard.