SoylentNews is people
SoylentNews
Four years ago, about a dozen credit cards equipped with chip-and-PIN technology were stolen in France. In May 2011, a banking group noticed that those stolen cards were being used in Belgium, something that should have been impossible without the card holders inputting their PINs. That's when the police got involved. The police obtained the international mobile subscriber identity (IMSI) numbers present at the locations where the cards were used and at the times they were used, and then they correlated those IMSI numbers to SIM cards.
Using that information, the police were able to arrest a 25-year-old woman carrying a large number of cigarette packs and scratchers, which were apparently intended for resale on the black market. After her arrest, four more members of the fraud ring were identified and arrested. That number included the engineer who was able to put together the chip card hacking scheme that a group of French researchers call "the most sophisticated smart card fraud encountered to date."
25 stolen cards, specialized equipment, and €5,000 (approximately $5,660) in cash was seized. Ultimately police said about €600,000 (or $680,000) was stolen as a result of the card fraud scheme, spanning 7,000 transactions using 40 cards.
[...] The stolen cards were still considered evidence, so the researchers couldn't do a full tear-down or run any tests that would alter the data on the card, so they used X-ray scans to look at where the chip cards had been tampered with. They also analyzed the way the chips distributed electricity when in use and used read-only programs to see what information the cards sent to a Point of Sale (POS) terminal.
According to the paper, the fraudsters were able to perform a man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card's original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, "making insertion into a PoS somewhat uneasy but perfectly feasible," the researchers write. The hackers took advantage of the fact that PIN authentication was, at least at the time, decoupled from transaction verification on EMV cards in Europe.
[...] In their paper, the researchers note that the forged chip cards looked similar to a scheme put forward in 2010 by researchers at Cambridge University. At the time, the Cambridge researchers were able to show that they could complete a transaction using a similar man-in-the-middle attack, but they weren't able to get the form factor down to credit card size. The French researchers who did the forensic analysis of the cards noted that "producing the forgery required patience, skill and craftsmanship."
(Score: 3, Insightful) by jmorris on Thursday October 22 2015, @03:07AM
That is a pretty obvious exploit. The three phases, card authentication, cardholder verification, and then transaction authorization are treated as independent instead of dependent which is how the exploit worked, pass the first and last through to the real chip while handling the cardholder verification in the fake. A correct implementation would require each section to incorporate hashes of each of the earlier ones such that the final transaction would 'seal' both the random unique transaction identifiers, keys of the card, merchant terminal and issuing bank and the purchase amount and unit in the final record, all cross signed by all parties.
Good for late 20th Century tech but sorely in need to a rethink and a 2.0 rollout. In another couple of years, as Moore's Law provides a little more, 3.0 can include moving the pinpad and a fingerprint reader onto the card itself. And no, putting this stuff in phones is dumb. Phones have hundreds of apps, multi-gigabyte operating systems developed in the fastest 'Agile' process possible and will never be close to as secure as what can be embedded into ROM on a card.
(Score: 0) by Anonymous Coward on Thursday October 22 2015, @03:29AM
"And no, putting this stuff in phones is dumb. Phones have hundreds of apps, multi-gigabyte operating systems developed in the fastest 'Agile' process possible and will never be close to as secure as what can be embedded into ROM on a card."
Most CPUs in smartphones have a "secure mode" that is not available from applications or even the OS. It's kind of like TPM.
(Score: 2) by jmorris on Thursday October 22 2015, @04:36AM
Who cares? There is far too much running on a phone. Who can assure the path between the merchant terminal and the secure chip, between the secure chip and what displays on the screen, etc? Yes I know that my 2012 vintage phone has a poorly documented direct connection between the SIM and the NFC hardware for example. It isn't explained anywhere but there it is on the schematics. But it is still putting far too many moving parts, most of which are hackable, into what should be an entirely sealed system.
I'm almost 100% RMS Pure but this is no place for Free Software. The credit card should always be property of the issuing bank and have absolutely zero capability for modification in the field and while the internals should be public knowledge (security by obscurity never works) there has to be secrets in the card that must be kept. This is exactly the opposite from what I want in a phone, making a phone secure enough to do this stuff on makes for a locked down phone I would never be caught dead with. A phone I don't have root on isn't going in my pocket, while a credit card I can hack is worthless.
(Score: 1, Funny) by Anonymous Coward on Thursday October 22 2015, @06:33AM
I'm almost 100% RMS Pure but this is no place for Free Software.
What does this have to do with Free Software? All software should be Free Software, so if you mean that this software shouldn't be, then I disagree entirely.
(Score: 2) by pendorbound on Thursday October 22 2015, @02:26PM
It's about being relatively more secure.
I guarantee a bug in all of that stuff going on in your phone is less likely to result in a financial loss to you than dropping a $100 note or your magstripe only credit card on the ground. Nothing is perfect. Better than status quo is a reasonable goal.
(Score: 2, Disagree) by frojack on Thursday October 22 2015, @06:35AM
Obvious exploit?
Steal a dozen high limit credit cards with nobody knowing about it?
Weld a super thin chip on top of an existing chip and still have it fit in a reader?
And do this so quickly on a stolen card that you can get that card out in the field before the rightful owner notices that it is missing?
"the most sophisticated smart card fraud encountered to date." According to the investors.
But hey, this guy posting on the internet said it was an obvious exploit.
You really are full of yourself aren't you, jmorris!
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday October 22 2015, @07:42AM
He means the protocol error. He's right there.
Still from a tech point this a very fine hack.
Funny thing is: they 'only' stole 600.000 euro. My guess is the skills shown by whoever created this are worth more in gainful employment over a few years without any of the risks of crime.
(Score: 2) by jmorris on Thursday October 22 2015, @05:02PM
Yup, that is what I'm getting at. As soon as I read the article the first thought was "WTF? Who designed the protocol with such an obvious exploit?" Then I read on and saw that the PIN step was designed to be optional. So defective by design. The are going to need a 2.0, backward compatible only for a limited time update. At a bare minimum the chip must include the presence/absence of the PIN in the final authorization. Then if the chip says it was never asked to validate a PIN and the terminal says it send one detection is easy. And all the way up to both the card issuer and merchant financial institution the lack of PIN will be recorded permanently.
(Score: 2) by frojack on Thursday October 22 2015, @09:51PM
Because its very hard to steal a card, modify it with an additional chip, and get it into the field fast enough to milk it for lots of money before the owner notices it missing, and calls in, and the card gets canceled.
No, you are mistaken. I've always had this sig.
(Score: 1) by pTamok on Thursday October 22 2015, @10:31AM
Steal a dozen high limit credit cards with nobody knowing about it?
This is quite possible.
Any competent pick-pocket can steal a wallet without you knowing about it.
A good pick-pocket can put it back without you knowing.
So (1) borrow* wallet (2) remove the least-used card from the selection of cards in the wallet (it'll be at the bottom of the stack, or in the most inaccessible slot, and will be least worn) (3) replace wallet.
You do not notice the wallet was not in your possession for a short period, so have no reason to check if all your cards are still in it. Thieves have some time before you notice the card is missing and being used.
Given the investment in technical nous for this operation, it is likely that good pickpockets were used. Or people like hotel cleaners and cloakroom attendants who have unsupervised access to wallets, although that is more risky as the location where the credit cards went missing can be determined by reviewing the travel history of the victims and looking for commonalities. Public random pick-pocketing of high-value marks is better.
*borrow, not steal. Steal requires intent to deprive permanently, which is obviously not the case here.