Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Thursday October 22 2015, @01:44AM   Printer-friendly
from the slim-pickings dept.

Four years ago, about a dozen credit cards equipped with chip-and-PIN technology were stolen in France. In May 2011, a banking group noticed that those stolen cards were being used in Belgium, something that should have been impossible without the card holders inputting their PINs. That's when the police got involved. The police obtained the international mobile subscriber identity (IMSI) numbers present at the locations where the cards were used and at the times they were used, and then they correlated those IMSI numbers to SIM cards.

Using that information, the police were able to arrest a 25-year-old woman carrying a large number of cigarette packs and scratchers, which were apparently intended for resale on the black market. After her arrest, four more members of the fraud ring were identified and arrested. That number included the engineer who was able to put together the chip card hacking scheme that a group of French researchers call "the most sophisticated smart card fraud encountered to date."

25 stolen cards, specialized equipment, and €5,000 (approximately $5,660) in cash was seized. Ultimately police said about €600,000 (or $680,000) was stolen as a result of the card fraud scheme, spanning 7,000 transactions using 40 cards.

[...] The stolen cards were still considered evidence, so the researchers couldn't do a full tear-down or run any tests that would alter the data on the card, so they used X-ray scans to look at where the chip cards had been tampered with. They also analyzed the way the chips distributed electricity when in use and used read-only programs to see what information the cards sent to a Point of Sale (POS) terminal.

According to the paper, the fraudsters were able to perform a man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card's original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, "making insertion into a PoS somewhat uneasy but perfectly feasible," the researchers write. The hackers took advantage of the fact that PIN authentication was, at least at the time, decoupled from transaction verification on EMV cards in Europe.

[...] In their paper, the researchers note that the forged chip cards looked similar to a scheme put forward in 2010 by researchers at Cambridge University. At the time, the Cambridge researchers were able to show that they could complete a transaction using a similar man-in-the-middle attack, but they weren't able to get the form factor down to credit card size. The French researchers who did the forensic analysis of the cards noted that "producing the forgery required patience, skill and craftsmanship."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by ledow on Thursday October 22 2015, @11:30AM

    by ledow (5567) on Thursday October 22 2015, @11:30AM (#253167) Homepage

    4 is not the limit.

    My girlfriend has ordinary Italian credit and debit cards. They have 6 or sometimes 8 digit PINs and work in other European and UK ATM's and chip-and-PIN machines too.

    Nobody ever said "You can only use four with this technology". They've stuck with four because you what you know, expect and (presumably) can remember. It's not a technical limit, it's an option.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1) by Webweasel on Thursday October 22 2015, @02:53PM

    by Webweasel (567) on Thursday October 22 2015, @02:53PM (#253244) Homepage Journal

    I was in Rome a few weeks back.

    Grandfather took the family to McDonalds to get some icecream.

    The automated order machines confused us a lot, as when you got to payment there was no language option.

    To authorise the card? Use your finger to sign on the pad (it was a chip and pin pad with touch screen)

    Of course we couldn't read the Italian, so entered the pin number.

    So, chip and pin... whats the point when vendors don't use it? I could have stolen anyones card, bought goods and "signed" with a finger swipe.

    --
    Priyom.org Number stations, Russian Military radio. "You are a bad, bad man. Do you have any other virtues?"-Runaway1956
  • (Score: 1) by pipedwho on Thursday October 22 2015, @11:14PM

    by pipedwho (2032) on Thursday October 22 2015, @11:14PM (#253431)

    In Australia, my cards have all had 12 digit PINs for as long as they've had EFTPOS (well before the current EMV Chip & PIN thing). You have to ask the bank specifically to let you put in the longer PIN, and the maximum was 12 digits as specified by the EFTPOS (and now EMV) standards.

    [RANT]
    The only annoying thing is that the keypad debounce logic in most of the recent ATMs made over the last 10 years seem to have been programmed by incompetent idiots. I used to be able to put my 12 digits in faster than most people could type in their first digit. But, these days, the audible feedback comes in so late that you can't tell if you've hit the button. And, worse, the debounce lockout is on the order of >500ms. So if you go a little too quick, it drops a digit somewhere in the middle and you get a PIN error at the end of the transaction and have to start all over again. This is painful, and the people that signed off on this being OK (and the imbeciles that programmed it) need to be flogged old school style for the pain they've inflicted on billions of users around the world.

    Doubly annoying is all the recent ATMs take forever before the UI becomes active. You have to wait an eternity before it even lets you put your card in after the previous person. If you try to put it in too early, it just rejects it. Then you have to wait way too long before you can start putting in your PIN. If you're lucky enough to get this far, they hit you with a painfully slow PIN entry, followed by a bunch more delays. I can live with real delays, like waiting for the bank to approve the transaction - but that seems to be fastest part. Even the dispensers are quick by comparison. But, the UIs are ALL just painful.

    It used to be embedded firmware/hardware engineers would do that level of interface implementation, but now it seems to be done by a work experience kid in the 'web dev' department. (IBM, NCR, Diebold - I'm looking at you.)
    [/RANT]