Over the course of the last decade, major credit card companies have begun to implement EMV or “chip and pin” technology. This system requires that a card reader retrieve the customer’s information off of their card’s magnetized chip, which is followed by the cardholder entering in their PIN number.
As a result, chip and pin essentially constitutes a method of two-factor authentication (2FA) for payment card purchases. It is an added security measure that is designed to prevent credit card fraud if a card is physically stolen, so it is natural that VISA, Mastercard and others would switch to EMV technology – even despite the fact that many companies were just recently unprepared for the transition.
But security measures only go so far. Time and time again, computer criminals have proven themselves too cunning to be deterred by such protective features and have therefore developed workarounds to circumnavigate them entirely.
The case of chip and pin systems is no different. Indeed, according to recent reports, French security researchers have identified a new trick that a group of computer criminals used to outsmart the chip and pin technology on credit cards a few years ago.
According to Wired, five French citizens were arrested in 2011 and 2012 for having completed fraudulent transactions on stolen credit cards. These purchases, the total amount of which is estimated to be below $680,000 USD conducted over 7,000 transactions using 40 separate cards, were made despite the fact that the stolen cards were protected by chip and pin technology.
A judge subsequently ordered an investigation into the criminals’ methodology following their arrest.
Using X-ray chip imaging, side-channel analysis, protocol analysis, and microscopic optical inspections, security researchers at the École Normale Supérieure university and the science and technology institute CEA have determined that the criminals executed a “man in the middle” attack that compromised the communication channels used by cards and card readers by implanting a second chip inside of each of the stolen credit cards.
“The [forgery] module looks unusual in two ways: (1) it is engraved with the inscription ‘FUN’; and (2) glue traces clearly show that a foreign module was implanted to replace the **89 card’s original chip,” observe the researchers in a paper they published late last week.
Further analysis of the forgery indicates that it consists of legitimate connection wires made of gold, with connections between the module – the “FUN” card – and the stolen chip made of copper. This arrangement makes the module somewhat thicker than a legitimate card, with the chip slightly bulging. However, the researchers state that the card can still feasibly fit inside a point-of-sale (PoS) system.
As reported by Ars Technica, the forged module takes effect during the cardholder verification and transaction authorization processes, which are both part of a typical EMV transaction.
When the PoS system asks for a user’s PIN, the FUN card will send the reader a code indicating that any PIN submitted by the user is correct and that the transaction can therefore proceed. Next, as part of the final step of transaction authorization, the FUN card relays transaction data between the PoS system and the original chip that is used by the reader to accept the purchase.
The card authentication step meanwhile proceeds as normal.
In the time since the hackers were arrested, EMVCo, the card scheme-owned consortium that manages the EMV standard, has reportedly patched the vulnerabilities that first enabled the fraudulent transactions to take place. Even so, computer criminals can still tamper with EMV terminals, an issue which is addressable only by manufacturers and banks and which leaves users vulnerable to credit card fraud.
Acknowledging these threats, it is recommended that customers stay alert to the behaviors of the EMV terminals they use and that they report any suspicious behavior to the retailers themselves or to law enforcement.