Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Thursday October 22 2015, @01:44AM   Printer-friendly
from the slim-pickings dept.

Four years ago, about a dozen credit cards equipped with chip-and-PIN technology were stolen in France. In May 2011, a banking group noticed that those stolen cards were being used in Belgium, something that should have been impossible without the card holders inputting their PINs. That's when the police got involved. The police obtained the international mobile subscriber identity (IMSI) numbers present at the locations where the cards were used and at the times they were used, and then they correlated those IMSI numbers to SIM cards.

Using that information, the police were able to arrest a 25-year-old woman carrying a large number of cigarette packs and scratchers, which were apparently intended for resale on the black market. After her arrest, four more members of the fraud ring were identified and arrested. That number included the engineer who was able to put together the chip card hacking scheme that a group of French researchers call "the most sophisticated smart card fraud encountered to date."

25 stolen cards, specialized equipment, and €5,000 (approximately $5,660) in cash was seized. Ultimately police said about €600,000 (or $680,000) was stolen as a result of the card fraud scheme, spanning 7,000 transactions using 40 cards.

[...] The stolen cards were still considered evidence, so the researchers couldn't do a full tear-down or run any tests that would alter the data on the card, so they used X-ray scans to look at where the chip cards had been tampered with. They also analyzed the way the chips distributed electricity when in use and used read-only programs to see what information the cards sent to a Point of Sale (POS) terminal.

According to the paper, the fraudsters were able to perform a man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card's original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, "making insertion into a PoS somewhat uneasy but perfectly feasible," the researchers write. The hackers took advantage of the fact that PIN authentication was, at least at the time, decoupled from transaction verification on EMV cards in Europe.

[...] In their paper, the researchers note that the forged chip cards looked similar to a scheme put forward in 2010 by researchers at Cambridge University. At the time, the Cambridge researchers were able to show that they could complete a transaction using a similar man-in-the-middle attack, but they weren't able to get the form factor down to credit card size. The French researchers who did the forensic analysis of the cards noted that "producing the forgery required patience, skill and craftsmanship."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday October 22 2015, @09:20PM

    by Anonymous Coward on Thursday October 22 2015, @09:20PM (#253394)

    That's what gets me about all these "cracking" episodes.
    I keep hearing that there is no penalty for entering incorrect information.
    An escalating (wait) time interval should be a minimum penalty for entering a password wrong.

    your card [gets] blocked

    Yeah. Who are these nitwits that think it's a good idea to allow an obvious bad guy to keep hammering on the door after X number of tries?

    -- gewg_