Академический Документы
Профессиональный Документы
Культура Документы
HowacriminalringdefeatedthesecurechipandPINcreditcards|ArsTechnica
Register
Login
Maina
Menu
My Stories: ring
18
Forums
Subscribe
Jobs
How
criminal
defeated
the secure
chip-and-PIN credit cards
Over$680,000stolenviaaclevermaninthemiddleattack.
byMeganGeussOct20,20159:12amEDT
112
Fouryearsago,aboutadozencreditcardsequipped
withchipandPINtechnologywerestoleninFrance.In
May2011,abankinggroupnoticedthatthosestolen
cardswerebeingusedinBelgium,somethingthat
shouldhavebeenimpossiblewithoutthecardholders
inputtingtheirPINs.Thatswhenthepolicegotinvolved.
Thepoliceobtainedtheinternationalmobilesubscriber
identity(IMSI)numberspresentatthelocationswhere
thecardswereusedandatthetimestheywereused,
andthentheycorrelatedthoseIMSInumberstoSIM
cards.
Usingthatinformation,thepolicewereabletoarresta
25yearoldwomancarryingalargenumberofcigarette
packsandscratchers,whichwereapparentlyintended
forresaleontheblackmarket.Afterherarrest,four
moremembersofthefraudringwereidentifiedand
arrested.Thatnumberincludedtheengineerwhowas
abletoputtogetherthechipcardhackingschemethat
agroupofFrenchresearcherscall"themost
sophisticatedsmartcardfraudencounteredtodate.
FUNcardXrayanalysis.(1)Externalmemory
(AT24C64)(2)Microcontroller(AT90S8515A)
(3)Connectionwires(4)Connectiongrid.
HoudaFerradi,RmiGraud,DavidNaccache,andAssia
Tria
25stolencards,specializedequipment,and5,000
(approximately$5,660)incashwasseized.Ultimately
policesaidabout600,000(or$680,000)wasstolenas
aresultofthecardfraudscheme,spanning7,000
transactionsusing40cards.
AstheUSisfinallybeginningitstransitionfrom
magneticstripecardstothesesocalledEMVcards,
interestedpartiesarewatchingEuropetoseehow
hackershavetakenadvantageofthesystemthere.
"ForgeryXrayanalysis.(5)Stolencards
Whilesmartcardsaresupposedtobemoreresistantto
module(6)Connectionwiresaddedbythe
fraudthanthemagneticstripecardstheUShasbeen
fraudster(7)Weldingsbythefraudster(only
using,thatdoesntmeantheyrehackproof.Infact,
threearepointedouthere)."
mostbanksintheUSarecurrentlyonlyrequiringa
HoudaFerradi,RmiGraud,DavidNaccache,andAssia
Tria
signaturefortransactionverification,ratherthanaPIN.
Clearly,asignatureismuchmoreeasilyforgedthana
PIN,butthefraudschemeinFranceandBelgium
showsthataPINspoofwaspossibleforatime,evenifEMVCo,theconsortiumthatmanagesthe
standard,saystheproblemsthatcreatedthehackhavenowbeenfixed.
http://arstechnica.com/techpolicy/2015/10/howacriminalringdefeatedthesecurechipandpincreditcards/
LATEST NEWS
Supreme Court takes 1st
patent case of term, and
plaintiffs could benefit
HELLO,MACINTOSHCALLING!
10/20/2015
HowacriminalringdefeatedthesecurechipandPINcreditcards|ArsTechnica
Fromtheresearchpaper:"ForgerysISOmodule.Red
arrowsshowgluetraces."
HoudaFerradi,RmiGraud,DavidNaccache,andAssiaTria
Thestolencardswerestillconsideredevidence,sotheresearcherscouldntdoafullteardownor
runanyteststhatwouldalterthedataonthecard,sotheyusedXrayscanstolookatwherethe
chipcardshadbeentamperedwith.Theyalsoanalyzedthewaythechipsdistributedelectricitywhen
inuseandusedreadonlyprogramstoseewhatinformationthecardssenttoaPointofSale(POS)
terminal.
Accordingtothepaper,thefraudsterswereabletoperformamaninthemiddleattackby
programmingasecondhobbyistchipcalledaFUNcardtoacceptanyPINentry,andsolderingthat
chipontothecardsoriginalchip.Thisincreasedthethicknessofthechipfrom0.4mmto0.7mm,
"makinginsertionintoaPoSsomewhatuneasybutperfectlyfeasible,theresearcherswrite.
"FalsecolorsXrayimageoftheforgery.Differentcolors
correspondtodifferentmaterials.Thestolenchipis
clearlyvisibleingreen,"theresearcherswrite.
HoudaFerradi,RmiGraud,DavidNaccache,andAssiaTria
ThehackerstookadvantageofthefactthatPINauthenticationwas,atleastatthetime,decoupled
fromtransactionverificationonEMVcardsinEurope.
TheresearchersexplainthatatypicalEMVtransactioninvolvesthreesteps:cardauthentication,
cardholderverification,andthentransactionauthorization.Duringatransactionusingoneofthe
alteredcards,theoriginalchipwasallowedtorespondwiththecardauthenticationasnormal.Then,
duringcardholderauthentication,thePOSsystemwouldaskforausersPIN,thethiefwould
respondwithanyPIN,andtheFUNcardwouldstepinandsendthePOSthecodeindicatingthatit
wasoktoproceedwiththetransactionbecausethePINcheckedout.Duringthefinaltransaction
authenticationphase,theFUNcardwouldrelaythetransactiondatabetweenthePOSandthe
originalchip,sendingtheissuingbankanauthorizationrequestcryptogramwhichthecardissuer
usestotellthePOSsystemwhethertoacceptthetransactionornot.
FURTHERREADING
http://arstechnica.com/techpolicy/2015/10/howacriminalringdefeatedthesecurechipandpincreditcards/
2/4
10/20/2015
HowacriminalringdefeatedthesecurechipandPINcreditcards|ArsTechnica
Cambridgeresearcherswereabletoshowthattheycould
completeatransactionusingasimilarmaninthemiddle
attack,buttheywerentabletogettheformfactordownto
creditcardsize.TheFrenchresearcherswhodidthe
forensicanalysisofthecardsnotedthat"producingthe
forgeryrequiredpatience,skillandcraftsmanship.
ProfessorRossAnderson,oneoftheresearcherswho
contributedtotheCambridgeresearch,toldArsinane
mailthathedbeenfollowingthecaseforaboutthree
years,sincejustafterthemembersofthefraudringhad
beenarrested.Infact,hesaid,theexpertwitnessforthe
prosecutiondiscussedthecasewithhim,sohehashada
bitofaninsideview.
ButAndersondoesntthinkthattheengineerwhomadetheforgedcardsreliedontheresearchthat
heandhispartnersatCambridgedidatall."MyownsuspicionisthattheFrenchcriminalsworked
outtheattackindependently,AndersontoldArsinanemail."Iftheydidn't,somebodyelsedid!The
reasonwestartedourresearchwasthatpeoplecametousagainandagainclaimingthattheircards
hadbeenstolenandusedinstoretransactionswhichthebankssworeprovedthatthey'dbeen
negligentwiththeirPINs,whilethecustomerswerecertaintheycouldnothavebeen.
"Onceyoumeetanumberofsuchvictimswhoarecrediblewitnesses,itmakesyoustarttothink,
Andersonadded.
Thatsuggestsaconcerningdynamicbetweenthecardholderandthebankthatcouldbejarringfor
AmericanusersinthenearfutureifbanksseetheEMVstandardasimpervioustofraud,itwillbe
difficultorimpossibleforthecardholdertogetthebanktoacceptliabilityforlegitimatehacks.
ListingimagebyHoudaFerradi,RmiGraud,DavidNaccache,andAssiaTria
MeganGeuss/MeganisastaffeditoratArsTechnica.Shewritesbreakingnewsandhasabackgroundinfact
checkingandresearch.
OLDER STORY
NEWER STORY
http://arstechnica.com/techpolicy/2015/10/howacriminalringdefeatedthesecurechipandpincreditcards/
3/4
10/20/2015
HowacriminalringdefeatedthesecurechipandPINcreditcards|ArsTechnica
SITE LINKS
MORE READING
AboutUs
RSSFeeds
Advertisewithus
Newsletters
Wired
ContactUs
Reprints
VanityFair
VisitArsTechnicaUK
Style
Details
SUBSCRIPTIONS
SubscribetoArs
Visitoursistersites
Subscribetoamagazine
2015CondNast.Allrightsreserved
UseofthisSiteconstitutesacceptanceofourUserAgreement(effective1/2/14)andPrivacyPolicy(effective1/2/14),andArsTechnicaAddendum(effective5/17/2012)
YourCaliforniaPrivacyRights
Thematerialonthissitemaynotbereproduced,distributed,transmitted,cachedorotherwiseused,exceptwiththepriorwrittenpermissionofCondNast.
AdChoices
http://arstechnica.com/techpolicy/2015/10/howacriminalringdefeatedthesecurechipandpincreditcards/
4/4