Stories
Slash Boxes
Comments

SoylentNews is people

Chip-and-Pin Credit Card PIN Bypass

posted by takyon on Thursday October 22 2015, @01:44AM   Printer-friendly
from the slim-pickings dept.

darkfeline writes in with this story from Ars Technica:

Four years ago, about a dozen credit cards equipped with chip-and-PIN technology were stolen in France. In May 2011, a banking group noticed that those stolen cards were being used in Belgium, something that should have been impossible without the card holders inputting their PINs. That's when the police got involved. The police obtained the international mobile subscriber identity (IMSI) numbers present at the locations where the cards were used and at the times they were used, and then they correlated those IMSI numbers to SIM cards.

Using that information, the police were able to arrest a 25-year-old woman carrying a large number of cigarette packs and scratchers, which were apparently intended for resale on the black market. After her arrest, four more members of the fraud ring were identified and arrested. That number included the engineer who was able to put together the chip card hacking scheme that a group of French researchers call "the most sophisticated smart card fraud encountered to date."

25 stolen cards, specialized equipment, and €5,000 (approximately $5,660) in cash was seized. Ultimately police said about €600,000 (or $680,000) was stolen as a result of the card fraud scheme, spanning 7,000 transactions using 40 cards.

[...] The stolen cards were still considered evidence, so the researchers couldn't do a full tear-down or run any tests that would alter the data on the card, so they used X-ray scans to look at where the chip cards had been tampered with. They also analyzed the way the chips distributed electricity when in use and used read-only programs to see what information the cards sent to a Point of Sale (POS) terminal.

According to the paper, the fraudsters were able to perform a man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card's original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, "making insertion into a PoS somewhat uneasy but perfectly feasible," the researchers write. The hackers took advantage of the fact that PIN authentication was, at least at the time, decoupled from transaction verification on EMV cards in Europe.

[...] In their paper, the researchers note that the forged chip cards looked similar to a scheme put forward in 2010 by researchers at Cambridge University. At the time, the Cambridge researchers were able to show that they could complete a transaction using a similar man-in-the-middle attack, but they weren't able to get the form factor down to credit card size. The French researchers who did the forensic analysis of the cards noted that "producing the forgery required patience, skill and craftsmanship."

Original Submission

 
This discussion has been archived. No new comments can be posted.
Chip-and-Pin Credit Card PIN Bypass | Log In/Create an Account | Top | 48 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by LoRdTAW on Thursday October 22 2015, @01:05PM

    by LoRdTAW (3755) on Thursday October 22 2015, @01:05PM (#253202) Journal

    What infuriates me about this is a cashless society would be solely in the hands of the banks and not the people/government like cash. This gives the few credit card companies a monopoly on the control of money. It also gives them free reign to charge merchants for transactions on EVERY monetary transaction. It's legislated infinite profits for banks. Capitalism at its finest!

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by Snow on Thursday October 22 2015, @03:51PM

    by Snow (1601) on Thursday October 22 2015, @03:51PM (#253268) Journal

    You know... There is an open source alternative - Bitcoin. Unfortunately, just like linux on the desktop, it's not that popular (yet?).

    • (Score: 2) by LoRdTAW on Thursday October 22 2015, @04:50PM

      by LoRdTAW (3755) on Thursday October 22 2015, @04:50PM (#253284) Journal

      My beef isn't with the alternatives. It's the shifting of control over a nation's currency from public to private proving the benefactors with free welfare.

    • (Score: 0) by Anonymous Coward on Thursday October 22 2015, @08:34PM

      by Anonymous Coward on Thursday October 22 2015, @08:34PM (#253365)

      it's not that popular

      WRT Linux, it depends on where you look.
      (Robert Pogson has repeatedly found that islands in particular are fertile ground for Linux adoption.)

      It also depends on what you call a "desktop".
      (Most folks only use handheld thingies these days.)
      ...and StatCounter--by sloth or by design--has difficulty identifying Android devices as Android devices.

      Pogson's latest discovery is the Caribbean island of Dominica [mrpogson.com] with some interesting numbers.
      The peak at 38 percent will raise some eyebrows.

      -- gewg_

    • (Score: 2) by HiThere on Thursday October 22 2015, @10:27PM

      by HiThere (866) Subscriber Badge on Thursday October 22 2015, @10:27PM (#253422) Journal

      There are some real problems with scaling up bitcoin. The design inherently causes each succeeding bitcoin to be harder to mine...and the scale isn't merely linear.

      --
      Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.