Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Friday, August 05, 2016 Swati Khandelwal

hack-chip-pin-credit-card
Forget about security! It turns out that the Chip-and-PIN cards are just as easy to clone as magnetic stripe cards.

It took researchers just a simple chip and pin hack to withdraw up to $50,000 in cash from an ATM in America in under 15 minutes.

We have been told that EMV (Europay, MasterCard and Visa) chip-equipped cards provides an extra layer of security which makes these cards more secure and harder to clone than the old magnetic stripe cards.

But, it turns out to be just a myth.

A team of security engineers from Rapid7 at Black Hat USA 2016 conference in Las Vegas demonstrated how a small and simple modifications to equipment would be enough for attackers to bypass the Chip-and-PIN protections and enable unauthorized transactions.

The demonstration was part of their presentation titled, "Hacking Next-Gen ATMs: From Capture to Washout," [PDF]. The team of researchers was able to show the audience an ATM spitting out hundreds of dollars in cash.

Here's How the Hack Work


The hack requires two processes to be performed.

First, the criminals need to add a small device known as a Shimmer to a point-of-sale (POS) machine (here, ATM's card reader) in order to pull off a man-in-the-middle (MITM) attack against an ATM.

The shimmer sits between the victim's chip and the card reader in the ATM and can record the data on the chip, including PIN, as the ATM reads it. It then transmits this data to the criminals.

The criminals then use a smartphone to download this stolen data and recreate the victim's card in an ATM, instructing it to eject cash constantly.

Tod Beardsley, a security research manager for Rapid7, told the BBC that shimmer is basically a tiny RaspBerry-Pi-powered device that could be installed quickly to the outside of the ATM without access to the internals of the cash machine.
"It's really just a card that is capable of impersonating a chip," Beardsley said. "It's not cloning."
The perpetrators would only be able to replicate each card for a few minutes and use it to fraudulently withdraw money, enabling them to make between up to $50,000, but Beardsley suggests that a network of hacked chip-and-pin machines could create a constant stream of victims.

Researchers have disclosed full details about the issue in Chip-and-PIN ATMs to banks and major ATM manufacturers and said they hope the institutions (currently unnamed) are examining the issue.

Tuesday, October 20, 2015 Khyati Jain

hacking-chip-n-pin-cards
October 1, 2015, was the end of the deadline for U.S. citizens to switch to Chip-enabled Credit Cards for making the transactions through swipe cards safer.

Now, a group of French forensics researchers have inspected a real-world case in which criminals played smart in such a way that they did a seamless chip-switching trick with a slip of plastic that it was identical to a normal credit card.

The researchers from the École Normale Supérieure University and the Science and Technology Institute CEA did a combined study of the subject, publishing a research paper [PDF] that gives details of a unique credit card fraud analyzed by them.

What's the Case?

Back in 2011 and 2012, police arrested five French citizens for stealing about 600,000 Euros (~ $680,000) as a result of the card fraud scheme, in spite of the Chip-and-PIN cards protections.

How did the Chip-and-Pin Card Fraud Scheme Work?


On investigating the case, the researchers discovered that the now-convicted criminals actually modified stolen credit cards to insert a second chip inside them, which is:

Capable of spoofing the PIN verification the cards sent to a Point of Sale (POS) terminal.

A strange thing here is, the researchers used microscopic analysis and X-ray scans to look at where the chip-and-pin cards had been tampered with.

Performing Man-in-the-Middle Attack


The fraudsters took advantage of a long-known vulnerability in Chip-and-PIN systems to perform a "man-in-the-middle" (MITM) attack.

The flaw is a known protocol vulnerability in Chip and Pin cards that, in 2006, allowed criminals to use a genuine card to make payments without knowing the card's PIN.

Also Read: Smart ATM offers Cardless Cash Withdrawal to Avoid Card Skimmers.

The flaw actually takes advantage of how cards and card readers communicate with each other.

The second hobbyist chip (dubbed a FUNcard) - that the fraudsters inserted onto the card’s original chip - accepts any PIN entry.

Here's How:

A typical EMV transaction involves three steps:
  1. Card authentication
  2. Cardholder verification
  3. Transaction authorization
When a buyer inserts the altered card, the original chip allows to respond with the card authentication as normal. But, during cardholder authorization, the POS system would ask to enter a PIN.

In this case, the fraudster could respond with any PIN, and the fraudulent chip comes into play and will result in a "YES" signal regardless of whatever random PIN the thief has entered.
"The attacker intercepts the PIN query and replies that it is correct, whatever the code is," said ENS researcher Rémi Géraud. "That is the core of the attack."
The good part is: the vulnerabilities compromised by the fraudsters has been fixed—at least in Europe, the researchers declined to fully detail the new security measures.

What Does the Forensic Analysis say?

Chip-enabled Credit Cards hacking


The cyber criminals had miniaturized the backpack setup into a tiny FUN card chip, a cheap and programmable device used by DIY hobbyists.

The size of the chip was not larger than the regular security chip used in credit cards. This may increase the thickness of the chip from 0.4mm to 0.7mm, but perfectly feasible when inserted into a PoS system.

The now-convicted criminals stole credit cards and then removed the chip from them, solder it to the FUN card chip, and fixed both chips back-to-back onto the plastic body of another stolen card.

The result was a powerful device that the fraudsters then used to run victims out of their money.
"It was small enough they could fit the whole attack inside the card and use it to buy things in stores…It would be a bit harder to put it into the reader, but not so hard that you’d suspect anything," Géraud said. "It was quite clever, quite hard to detect, and for some time they managed to evade detection."

Role of X-Rays


The researchers could not perform a full tear-down or run any tests that would alter the data on the chip-and-pin card, so they used X-ray scans.

Also Read: How to Freeze Credit Report To Protect Yourself Against Identity Theft.

The researchers examined one of the devices (forged credit cards) with non-invasive X-ray scans, prior to which they discovered a hidden FUNcard logo on a chip inside.

They then reverse engineered the forged card's computational activity by analyzing the way the chips distributed electricity when inserted into a card reader; the timing of the card's power use revealed the occurrence of a man-in-the-middle attack.

To read the full research paper, download this PDF.

Thursday, October 01, 2015 Khyati Jain

chip-n-pin-cred-card
October 1 Liability shift ENDS!

Today, 1st October 2015, is the deadline for US-based Banks and Retailers to roll out Chip-embedded Credit Cards (powered by EVM Technology) to customers that will make transactions more secure.

EVM Technology stands for Europay, MasterCard and Visa -- a global standard for Payment Cards equipped with Chips used to authenticate chip card transactions.

Starting Thursday, Merchants must have new Payment Terminals installed to accept Chip Cards in their stores or restaurants. Otherwise, they will be responsible for credit card frauds.
Stephanie Ericksen, Visa's Vice President Risk Products said, "That's the date by which if a merchant doesn't have a chip terminal, and a counterfeit card is used at that location, they may be liable for that fraud on that transaction.''

60% Customers Still have Old Credit Cards


However, If you have not received a new credit card with chip technology, don't worry, you are not alone.

According to latest stats revealed by MasterCard, 60% customers still have Old Credit Cards based on Magnetic Stripe Technology, and it could take next 2-3 years to transform the whole payment system.
The number of chip cards in the U.S. from these issuers will grow to 60 percent by the end of this year, expanding to 98 percent by the end of 2017,” MasterCard said.
In the wake of numerous high-profile Data breaches, including Target, Neiman Marcus or The Home Depot, and increasing rates of Credit Card Fraud, the Payment Card distributors are migrating to this new technology to reduce the costs of Frauds.

Traditional Magnetic Stripe cards transmit your account number and secret PIN to merchants, which could be easily hacked by fraudsters and cyber criminals.

Whereas, In case of Chip-n-PIN EMV Card, Embedded microchip stores your data in encrypted form and only transmits a unique code (one-time-use Token) for every transaction, making it difficult for cyber criminals to use the card for counterfeit fraud.

Thus, the need to bring the Chip-n-PIN technology as soon as possible was intended. To elaborate more on Chip and PIN Smart Payment Cards, they are capable of:
  1. Initiating Two-factor authentication (2FA) by applying Tokenization process.
  2. Decreasing card Counterfeit rates.
  3. Contactless card reading.
  4. Eliminating the Card swipe method by enabling “Card Dipping”- putting the card into a terminal slot and waiting for it to sense and process.
Also, if these EMV cards get stolen, the information on the chip gained by an attacker will be of no use because the stolen transaction number created in that instance is unique and cannot be reused and after “dipping” it will deny the card.

This New Payment Card can be called by various names, such as:
  • Smart card
  • Chip card
  • Smart-chip card
  • Chip-enabled smart card
  • Chip-and-choice card (PIN or signature)
  • EMV smart card
  • EMV card
  • Chip and Dip card

Is Chip and Pin Technology Safe Enough?


Well, all anti-cloning theories are already proven wrong by security researchers and hackers.

Check out some previous articles posted on The Hacker News about hacking Chip-and-Pin cards :
Also, for online usage, neither a PIN nor a Signature is required, so just stealing credit card numbers is sufficient to use them for Fraud.

Future of Payment Cards

chip-n-pin-cred-card

Moreover, as a solution, mobile payment and digital wallet services like Apple Pay and Google Wallet can be promoted by adopting more robust security mechanism and protocols; and making monetary transactions more safe and easy.

Another solution could be considered as the use of multiple factor authentication methods like Biometrics.

Also, you can take a sneak peak into this Video, where Jerry Irvine, member of the U.S. Chamber of Commerce Cyber Security Leadership Council and CIO of Chicago-based Prescient Solutions, in an interview with Slashdot Media discusses the new technology and its principles that promise safe payment practices.

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!