Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Crime The Almighty Buck

Criminals Hacked Chip-and-PIN System By Perfecting Point-of-Sale Attack (net-security.org) 145

An anonymous reader writes: When in 2010 a team of computer scientists at Cambridge University demonstrated how the chip and PIN system used on many modern payment cards can be bypassed by making the POS system accept any PIN as valid, the reaction of the EMVCo and the UK Cards Association was to brand the attack as "improbable." After all, the researchers used a bulky tech setup that had to be carried around in a backpack but, as it ultimately turned out, a year later an engineer based in France found a less obvious way to perform the attack.
This discussion has been archived. No new comments can be posted.

Criminals Hacked Chip-and-PIN System By Perfecting Point-of-Sale Attack

Comments Filter:
  • by bobbied ( 2522392 ) on Tuesday October 20, 2015 @10:07AM (#50765697)

    Improbable anybody would do it..

    • by Capt.Albatross ( 1301561 ) on Tuesday October 20, 2015 @10:14AM (#50765745)

      It is worse than that, because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.

      Why is it that the stupidest people always seem to be the ones making the decisions in matters of security?

      • by fustakrakich ( 1673220 ) on Tuesday October 20, 2015 @10:35AM (#50765865) Journal

        Why is it that the stupidest people always seem to be the ones making the decisions in matters of security?

        Maybe you should ask their boss that question...

      • It is worse than that, because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.

        Why is it that the stupidest people always seem to be the ones making the decisions in matters of security?

        Because everyone is stupid when it comes to security until something security related happens to them.

        • Because everyone is stupid when it comes to security until something security related happens to them.

          Not so much stupid as lazy. And a big part of the problem is that most of the time, security people are the boy crying wolf.
          How many times have we heard about vulnerabilities that had no impact? If we react to every single warning we'd never get anything done. So maybe the correct path is to ignore security people most of the time. The real trick however, is knowing when to pay attention and act.

      • by Baron_Yam ( 643147 ) on Tuesday October 20, 2015 @11:02AM (#50766013)

        Because the frauds committed aren't even big enough to be a line item in their budget. Why invest in security now when you might not need to fix the problem for a budget year or two?

        It's a coldly calculated financial decision.

        • I think I'll stick primarily with good old fashioned cash. It isn't as readily hacked, and is virtually untraceable to any company or govt wanting to know what I"m spending my $$ on.
          • by Anonymous Coward

            Not easily hacked: As long as your home is adequately protected from break-ins.

            Not easily tracked: Unless you spend more than $10k, in which case the purchase will be reported to the IRS.

            The worst part is that since a PIN hack puts liability for fraud on the cardholder (bank logic: PIN is unbreakable, so its the cardholders fault if it gets stolen) this ends up being bad for the consumer. That's why I'm OK with PIN/swipe & signature (bank logic: signatures are unreliable, so the bank writes off the odd

          • by swb ( 14022 )

            I think I'll stick primarily with good old fashioned cash. It isn't as readily hacked, and is virtually untraceable to any company or govt wanting to know what I"m spending my $$ on.

            It isn't readily hacked as long as your definition of "hacked" doesn't include counterfeiting or theft.

            It isn't traceable unless you start engaging in transaction in excess of the reporting limits or they decide to investigate you because you're avoiding the transaction limits.

          • This hack requires the criminal to physically steal your card. Once stolen, this hack allows the criminal to use your card even if he does not know the pin. Does your stolen cash require a pin number to use it? Unless you have some kind of magical money that can't be physically stolen, cash is actually easier to "hack" than these cards.
            • While true, the you don't generally carry the same amount of cash as you do in your bank account or your available credit, that being said you can already use a credit card without a pin, order something online, or contactless payment.

              I think it is strange that the pin is simply not put in as part of the response, to the challenge response, I think it is strange the actual card says pin ok, as opposed to sending that information off to the bank to validate.

              • I think it is the laptop that says "pin ok" to the vendor, and the laptop says "vendor didn't ask for a pin" to the chip in the card. It's like a man in the middle attack.
                • Yes. This is very precisely a MITM attack.

                  Why is the card response so pitifully simple? It should have been cryptographically signed with a private key embedded in the card, so that the "yes" answer can't be synthesized by the interception chip.

                  Sigh.

                  • Agreed. But even with this particular threat, these cards are still way more secure than what we had before. And this particular flaw should hopefully be fixed. Ideally I'd like to see number+expiration date (i.e. only things you know) methods of authentication be completely deprecated, and have even online shopping authenticated with a reader attached to the shoppers home computer.
          • I think I'll stick primarily with good old fashioned cash. It isn't as readily hacked,

            Except by any bum with a knife at your throat.

      • We just don't like to acknowledge them and prefer to kid ourselves into thinking were a meritocracy...
      • by mjwx ( 966435 )

        It is worse than that, because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.

        Why is it that the stupidest people always seem to be the ones making the decisions in matters of security?

        Because making the right decision on security will affect convenience, if you affect convenience people will stop using credit cards and start using cash again. If people started using cash again, credit card companies cant charge merchant service fees to merchants (as a side effect, merchants will be able to drop prices whilst increasing profit). Fewer merchants paying fees means less profit for banks.

        So they are happily sacrificing security because its cheaper than the profit they'd lose.

        Besides, th

    • by AmiMoJo ( 196126 ) on Tuesday October 20, 2015 @10:20AM (#50765781) Homepage Journal

      I'm wondering if they really fixed this kind of vulnerability too. If you read the paper [iacr.org] it seems that that device they added to the card was not fully compliant with the spec, not by a long way. So the most obvious and quick mitigation is to test for something that it is not compliant in. Such a test could be quickly bypassed once discovered, and turn the whole thing in to a game of cat-and-mouse like the fake cable TV cards became.

      • by IamTheRealMike ( 537420 ) on Tuesday October 20, 2015 @11:23AM (#50766101)

        Yes, it's fixed properly. From the paper:

        It is important to underline that, as we write these lines, the attack described in this paper is not applicable anymore, thanks
        to the activation of a new authentication mode (CDA, Combined Data Authentication) and network level protections acting as a second line of defense. Until the deployment of CDA, this fraud was stopped using network-level counter-measures and PoS software updates.

  • We didn't lock the door because we didn't think anyone would try the knob? Hope somebody's head rolled for this incompetence!
    • We didn't lock the door because people had to turn the knob, but then people figured out how to make a device that just turns the knob for them, and here's how they did it!
  • by sasparillascott ( 1267058 ) on Tuesday October 20, 2015 @10:26AM (#50765811)
    Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article:

    https://krebsonsecurity.com/20... [krebsonsecurity.com]

    "0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."
    • Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article

      The CC number would have been compromised. But the PIN would be secret. The whole point of the PIN is that the CC# alone is not enough to complete a transaction.

      • The CC number would have been compromised. But the PIN would be secret. The whole point of the PIN is that the CC# alone is not enough to complete a transaction.

        But kind of a moot point, since in the US there is no "PIN" to go along with the Chip. Just is chip and sign, you don't have to come up with nor remember a pin for each credit card you have and use with the new system here.

        • Signatures are now not accepted in Australia. Chip + Pin only (or Pay Wave).
          Far better since signatures were never checked anyway.

      • by guruevi ( 827432 )

        As these researchers have pointed out publicly in 2010 but all the way back to the early 2000's to these chip and pin companies, the pin can just as easy be read out with the right equipment. It was deemed 'impractical' but as Krebs has pointed out and the Cambridge researchers as well in a more recent post, the technology to clone the necessary card info to do other transactions exists and has been perfected to the point of being nearly invisible.

    • Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article: https://krebsonsecurity.com/20... [krebsonsecurity.com] "0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."

      Correct. Chip & PIN would not have solved anything.

      To provide an example...I used my Chip card the other day. The vendor was having an issue with their chip reader, so the POS operator put in an override to allow it to be swiped. So another easy way to by pass the Chips? Make a hack that makes the system think the reader is unusable.

      • It doesn't count as "chip and pin" if the hack involves bypassing the use of the chip and pin. A safe can't protect any items that aren't actually in it.
        • It doesn't count as "chip and pin" if the hack involves bypassing the use of the chip and pin. A safe can't protect any items that aren't actually in it.

          If you can by-pass it then it effectively nullifies any security provided, so yes, it does count.

          Even aside from that, chip+PIN it no where near as secure as things like Google Wallet that provide single-use card numbers for each transaction.

          It's also been shown that people can completely clone a chip+PIN card, again rendering the added security null and void.

          • If you can by-pass it then it effectively nullifies any security provided, so yes, it does count.

            So if I try to rob a house, and I "bypass" the security system by robbing the next house over, does that mean the security system of the first house sucks?

            Even aside from that, chip+PIN it no where near as secure as things like Google Wallet that provide single-use card numbers for each transaction.

            How is this more secure?

            It's also been shown that people can completely clone a chip+PIN card, again rendering the added security null and void.

            Do you have a citation?

            • If you can by-pass it then it effectively nullifies any security provided, so yes, it does count.

              So if I try to rob a house, and I "bypass" the security system by robbing the next house over, does that mean the security system of the first house sucks?

              If you are able to use entry into the second house to steal stuff from the first house, then yes, that the security on the first house is insufficient protection. If the two are completely unrelated, then the security of the first makes no difference.

              In this case, card vs card+chip+pin is like two homes with a tunnel between them. The first home might be more secure, but the tunnel is doesn't have any security on it. So the valuables in the first house are still at risk through entry into the second hous

              • If you are able to use entry into the second house to steal stuff from the first house, then yes, that the security on the first house is insufficient protection. If the two are completely unrelated, then the security of the first makes no difference. In this case, card vs card+chip+pin is like two homes with a tunnel between them. The first home might be more secure, but the tunnel is doesn't have any security on it. So the valuables in the first house are still at risk through entry into the second house; and the guy that sold the first house to the current owners failed to mention the existence of the tunnel.

                Yes, it is exactly like this, if the tunnel was put there specifically for people who did not know how to properly authenticate themselves to the security system, with the understanding that the tunnel will eventually be filled in when enough people know how to properly authenticate themselves. My point is that the existence of the tunnel is not a weakness in the security system, it is a temporary tunnel specifically designed to bypass the bypass the system, and can easily be filled in whenever "we" want.

                The card number is single use. If they try to use it again, it doesn't work

                I

      • This is even more silly, where I live if you simply put your card in backwards, the reader will say read error, ask you to swipe, then ask to put the card in again, if you put the card in backwards again it will ask to swipe and accept that. Yes you need to know the pin but you don't need the chip.

        It reminds me of Microsoft Bob's security if you entered your password wrong 3 times it would ask if you wanted to change it.

        • This is even more silly, where I live if you simply put your card in backwards, the reader will say read error, ask you to swipe, then ask to put the card in again, if you put the card in backwards again it will ask to swipe and accept that. Yes you need to know the pin but you don't need the chip.

          Yeah. It doesn't save anything - just causes more headaches. They're only going after it to shift some liability.

          It reminds me of Microsoft Bob's security if you entered your password wrong 3 times it would ask if you wanted to change it.

          lol...kind of like a disk encryption software I used a few employers ago...if you ran out of attempts it was suppose to require help desk to unlock it. I accidentally discovered all you had to do was reboot the computer - even a soft-reboot worked IIRC.

    • by AmiMoJo ( 196126 )

      This doesn't seem to be right. To make online transactions you need the CCV number on the back of the card. That number is not normally transmitted when you make a chip-and-pin payment. At least, that's the way it works in Europe, maybe the US chip-and-pin system is different.

      • This doesn't seem to be right. To make online transactions you need the CCV number on the back of the card. That number is not normally transmitted when you make a chip-and-pin payment. At least, that's the way it works in Europe, maybe the US chip-and-pin system is different.

        The CVV can be read, in clear text, from the terminal data. It is not encrypted. While they do not need to store the CVV data separately from the encrypted card data, Target could still have access to this info.

    • Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article: https://krebsonsecurity.com/20... [krebsonsecurity.com] "0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."

      Except that chip cards don't provide the same card number for every transaction. In an EMV transaction the cashier requests that the terminal read the chip. Data from the chip gets sent to the processor. The processor sends data back to the card, which is then used to perform an action on the chip. Once the chip is done, it sends all of the information needed to capture the transaction to the processor. But it does not contain the actual card number.

      EMV transactions all contain cryptograms with the ca

    • Well the idea is that once enough there are enough chip readers out there, then banks don't need to accept numbers and expiration dates as valid authentication anymore. People can even get chip readers in their homes for instantly authenticated online purchases.

      So a deadbolt on your front door is not going to keep a burglar from going into the back door you left open, but that doesn't mean your deadbolt isn't secure, it just means you need another deadbolt on your back door too.

  • by rjstanford ( 69735 ) on Tuesday October 20, 2015 @10:29AM (#50765827) Homepage Journal

    If you read TFA, you'll see that the issue exists because people wanted the card to be able to be used without the PIN present, presumably in cases where a PIN terminal wasn't available. All that the hack does is convince the card to process the transaction as if it was a chip-and-signature transaction, which most places can choose to trigger by hand.

    As long as you want cards to work without the PIN, they will be vulnerable to being told to work without the PIN. That's just a fact, unfortunately.

    The other benefits of chip transactions, the best of which is that each transaction is unique rather than simply a relay of TRACKDATA with a M_ID and an amount attached to it (basically making stolen card transmissions worthless instead of the current "just as good as a real card"), still remain and are highly significant.

    • You could build a system where you allow chip and sign, while making this MITM attack is impossible. All it requires is end-to-end hashing and signature of the whole conversation. We already have protocols like that baked into things like https.
  • Is it a rerun of the YesCard story from year 2000?
    A French engineer named Serge Humpich managed to make fake credit cards that could fool offline terminals no matter what PIN was entered.

  • I'm not the least bit sold on the security of these new cards. I had one issued to me by my bank a couple months ago, and the card was nonetheless compromised within a month. I made exactly one POS transaction with it at a chip terminal (several at non-chip terminals) and all of a sudden someone else decided to pay their cell phone bill with my card.

    Rather unsurprisingly said cell phone company didn't give a flying fuck about the fraud and refused to be the least bit helpful. Now I have to pay my ban
    • by IamTheRealMike ( 537420 ) on Tuesday October 20, 2015 @11:26AM (#50766129)

      "I used my card in the old insecure mode several times and then am surprised when the card got skimmed"? Really?

    • by Nkwe ( 604125 )

      I'm not the least bit sold on the security of these new cards. I had one issued to me by my bank a couple months ago, and the card was nonetheless compromised within a month. I made exactly one POS transaction with it at a chip terminal (several at non-chip terminals) and all of a sudden someone else decided to pay their cell phone bill with my card. Rather unsurprisingly said cell phone company didn't give a flying fuck about the fraud and refused to be the least bit helpful. Now I have to pay my bank to go after it.

      What does the cell phone company have to do with it? Your dispute is with the bank that issued your credit card. If your bank is charging you to dispute a fraudulent credit card charge, you need to find a different bank.

      • What does the cell phone company have to do with it?

        When I call a merchant directly and tell them my card has been used fraudulently they should be willing to take my information and - at the very least - blacklist my card number upon my request so that it is never used again. They offered to do exactly nothing for me as I did not know the phone number that was used for the transaction.

        I've known other vendors - Blizzard comes to mind - who would go much further and reverse the charges over the phone.

        Your dispute is with the bank that issued your credit card.

        No, the dispute is with the merchant who was willing

        • by PPH ( 736903 )

          When I call a merchant directly and tell them my card has been used fraudulently

          You don't call the merchant. You call your bank (the card issuer) and contest the charges. The bank reverses the payment and then it's the bank vs the merchant for lax security procedures, accepting bad signatures, etc.

          If a merchant develops a bad track record w.r.t. accepting questionable cards, the bank (actually, I think it's the clearing company, like VISA) will levy a surcharge on that merchant and eventually blacklist them.

        • When I call a merchant directly and tell them my card has been used fraudulently they should be willing to take my information and - at the very least - blacklist my card number upon my request so that it is never used again.

          Even though you're not their customer? Yeah, there's no way that that could ever be abused.

          There are well-established procedures for handling these kind of situations, if you follow them then most everything "just works".

          • When I call a merchant directly and tell them my card has been used fraudulently they should be willing to take my information and - at the very least - blacklist my card number upon my request so that it is never used again.

            Even though you're not their customer? Yeah, there's no way that that could ever be abused.

            I have the card. It is in MY name. They took it and accepted it from someone else who is not me, and does not live at my address or have my phone number. I should be able to say "this is my card, do not ever accept it". Other vendors are more than happy to oblige to that request.

            It's not like it would be useful for someone to call and start guessing card numbers randomly for such a request, and they would have almost no chance of matching card numbers to names if they did.

            There are well-established procedures for handling these kind of situations, if you follow them then most everything "just works".

            There are also well-estab

            • I should be able to say "this is my card, do not ever accept it".

              No, you should not. If you can do that with your card information, then I can do that with your card information. If I do that with your phone company, then what?

              What you should do is contact your bank and contest the charges. Talking to the vendor is a waste of everyone's time. Most of all yours. They have zero obligation to you.

      • "I made exactly one POS transaction with it at a chip terminal (several at non-chip terminals) and all of a sudden someone else decided to pay their cell phone bill with my card."

        I'm betting the cell phone bill was paid online. Still no real security for EMV cards online, as there is no EMV in a card-not-present transaction. It's not even track data, just the account number, expiration date, and CVV/CID. Which, if the fraudster had the CVV, means they had your card at some point or saw front and back.

        I h

    • Did you use this card online to pay for things?

      If so, that's the most likely way that your card was compromised. As other posters have stated, your issue is with the bank, not the phone company.

      Just dispute the charge with the bank, and it comes off your bill.

    • I don't your account of what actually happened can be trusted because you are a fucking moron.
      • You are so kind with your grammatical incoherence. May you have a great day, sir. Should you ever care to come back to actually discuss the topic, feel free to grace us again with your presence at that time.
        • I apologize for the typographical error. I meant to say that I don't *trust* your account of what actually happened because of your intellectual deficit, sir. Had someone of normal mental capacity made a similar claim, I might at least entertain the possibility that it was correct, but I am certain you just don't understand how anything works, and this general state of misunderstanding is no doubt what has lead to your perception of events.
          • You bring a lot of bias in to this, but based on what? I seem to have angered you at some time but I don't recall a past interaction with you. You've made it clear that you don't like me but you have not done anything to explain why.
            • You haven't angered me. On the contrary, you have provided me with hours of entertainment.
              • Really? You expect me to believe that your not angry when you come in lobbing insults and profanity? You haven't said a single word in this thread about the topic itself, instead you've been attacking me. If you are trying to act like a sane and non-angry person you are failing quite badly.

                Again, I don't know what I did to you to warrant such anger from you. If you'd like to discuss the topic, feel free.
                  • After anger comes laughter? Well, there are healthier ways to deal with the former than directing it randomly at people on slashdot, but there are worse options as well.
                    • You're like one of those dogs that falls down running across a slippery floor every single time. I feel a bit guilty laughing, but I just can't help it.
                    • So you just came here to troll me then, gotcha. Move along, have a nice day. You were very marginally successful in wasting my time but there are certainly less hackish ways to pull off that feat.
                    • Such as?
                    • Sorry kid, but I don't feel anywhere near bad enough for you to help you be a better troll.
                    • That's Ok sonny. You don't have to have all the answers. There are lots of nice and smart people out there who will take pity on you and make sure you don't hurt yourself too bad. You'll be ok. Just try to find an adult if you get scared.
  • by serviscope_minor ( 664417 ) on Tuesday October 20, 2015 @10:35AM (#50765863) Journal

    You'd think it would be obvious, but an attack never gets less good over time.

    Of course the research attack was large and bulky. It had a full laptop in a backpack and a bunch of not very dense electronics and stuff since it was part of a research demo. Research demos are generally the minimum required to prove that something works.

    Once an attack has been found the only vaguely sensible thing to assume is that it gets better, easier and more slick over time.

    Then again, the banks were idiots in the first place and tried legal threats to keep it quiet. Because as we all know that makes security holes vanish.

  • Chip&PIN has always been broken. We're already moving to systems such as Google Wallet / ApplePay, which (whether or not they actually are secure) at least have the theoretical potential to be secure - something which Chip&PIN could never claim.

    • by DarenN ( 411219 ) on Tuesday October 20, 2015 @11:11AM (#50766045) Homepage

      Chip and PIN is secure if used:
      1. With the card present
      2. With a PIN pad
      3. With online validation

      Which is all it ever guaranteed.

      Chip and Signature should help reduce card cloning attacks because unless the cryptographic key on the chip can be read the application request cryptograms will never be correct so the transactions will be flagged. What happens in the case of an ARQC validation failure is up to your bank, but they can hardly refuse a refund if they approve a transaction where the ARQC validation failed. (Well, they can, but they're likely to get shafted for it eventually)

      However what this attack enables is allowing stolen cards to be used because the fake chip would pass through the request to generate the ARQC to the chip card. So if your card's stolen, report it quickly. It's the same problem with the contactless cards. If it's stolen it can be used until it's blocked for the smaller amounts that it allows, but it's difficult to clone (I won't say impossible but I have not heard of it being done) because there's cryptographic key on the chip which generates a cryptogram that has to validate before the transaction will be approved.

      Chip of any flavour does not stop card-not-present fraud, so internet fraud and over-the-phone purchase fraud will continue unabated. It solves a different problem.

      • Chip and Signature should help reduce card cloning attacks because unless the cryptographic key on the chip can be read the application request cryptograms will never be correct so the transactions will be flagged. What happens in the case of an ARQC validation failure is up to your bank, but they can hardly refuse a refund if they approve a transaction where the ARQC validation failed. (Well, they can, but they're likely to get shafted for it eventually)

        And that's a real issue. That's why we in Europe right now have geofencing on our cards. When our card information is "stolen" it ends up being used on cloned cards in shops in other parts of the world. BUT, that's not just places like India (which is a perennial favourite), rather one of the major markets is the US as your POS security standards are so lax.

        So even if shoring up US standards would not help USians, it will help us in the rest of the world, by making one very popular attack less likely to suc

  • Improbable in computer security means inevitable. Impossible means it cannot be done - yet.

  • At least this hack requires the criminals to steal the actual card (rather than just skimming information from a real card when the owner lets you borrow it). I think 2-factor authentication is good and it's too bad this system failed, but the original mechanism of preventing unauthorized use without physical access to a real card seems to be working pretty well.
  • pfft, PIN (Score:4, Funny)

    by j2.718ff ( 2441884 ) on Tuesday October 20, 2015 @11:40AM (#50766245)

    We in the US have chip and signature, and are therefore immune to any such attack involving a PIN.

    • by mark-t ( 151149 )
      I am the only person on this planet that knows my pin. If somebody steals my card, they don't have my pin. If somebody should steal my pin, they still don't have my card. Both are required to fake a transaction. Duplicating the magstripe on my card is insufficient because most places accept chipped cards, and if a magstripe duplicate of my card were placed in such a machine, it would indicate that the transaction must be completed with the chip, not the magstripe. They would, therefore, have to forg
    • by MobyDisk ( 75490 )

      I take security even further than that: Even I don't know my own own PIN!

  • Since Slashdot is useless, I'll post a summary.

    http://www.net-security.org/im... [net-security.org]

    Stolen chip with malicious chip soldered on top. No idea why you need a second stolen card for the body as shown in the image.

    Malicious chip MITMs the POS PIN challenge and says it's all good. Malicious chip in this case is a "FUNcard" chip. Basically a generic system you can buy for your laundromat, arcade, carnival, whatever.

    This was done in France in 2011. EMVCo claims they've fixed this or made it harder. They won't say

    • by DarenN ( 411219 )

      Stolen chip with malicious chip soldered on top. No idea why you need a second stolen card for the body as shown in the image.

      So the card didn't have the chip protruding, which would have made it look tampered with. It may also have allowed the card to be inserted without damaging the new chip.

      This was done in France in 2011. EMVCo claims they've fixed this or made it harder. They won't say how. No one believes them.

      The will say how, they just won't give details. The basic problem is that you have offline PIN validation where the chip can validate the entered PIN and say "yo, it's all good, I've verified the PIN". This method is allowed for low-value stuff (think metro tickets) up to a bank-defined threshold for a bank-defined number of transactions, th

      • Why couldn't you just use the first stolen card's body?

        As for the PIN, if it's wrong in an offline environment you'd never know. At best, you can reduce windows and thresholds for requiring allowing cards to be used offline. You can't stop this attack with the current hardware while still allowing offline transactions.

        • by DarenN ( 411219 )

          Why couldn't you just use the first stolen card's body?

          You need the original chip intact and the thickness increased from 0.4mm to 0.7mm. This made it harder to get into the reader so I assume it was to prevent the chip on top being pressured which may screw up the contact to the chip below, and also the card would look weird if it was half again as thick.

          As for the PIN, if it's wrong in an offline environment you'd never know. At best, you can reduce windows and thresholds for requiring allowing cards to be used offline. You can't stop this attack with the current hardware while still allowing offline transactions.

          True, but the customer's never going to see it!

          There are 3 verification steps with EMV, card verification, cardholder verification and transaction verification. They were pretty coy about what they did but the

  • Fraudsters will improve the hardware. Eventually a shim will be made that is barely visible, interposes a chip to intercept and alter messages, and the cycle continues.

    Terminal makers are probably working on reducing the tolerances for card thickness to defeat this shimming.

    And as cards move to non-embossed plastic, this will be a problem until all embossed cards are gone. then the slot will be thinned, and the shim will be harder to make. Possibly the cards will be shaved to permit a shim on the top. E

    • by guruevi ( 827432 )

      Did you see the shims? The entire SoC can be done on a sheet of flex plastic well within tolerance of the readers.

      • Key to being able to pass off a shimmed card is ease of use. The extra thickness of the fpga chip causes problems, and it probably needs to be welded at this point, though eventually conductive adhesives will be found. But using nonembossed cards solves some of this.

        The terminal makers are in a bind her.

  • That's one of the first lessons in secure programming I was taught.

  • Since the US adopted/is adopting the chip without the pin, we're already behind the curve.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...