10/20/2015

HowacriminalringdefeatedthesecurechipandPINcreditcards|ArsTechnica

Register

Login

LAW & DISORDER / CIVILIZATION & DISCONTENTS

LATEST FEATURE STORY

Maina
Menu
My Stories: ring
18
Forums
Subscribe
Jobs
How
criminal
defeated
the secure
chip-and-PIN credit cards

Over$680,000stolenviaaclevermaninthemiddleattack.
byMeganGeussOct20,20159:12amEDT

112

Fouryearsago,aboutadozencreditcardsequipped
withchipandPINtechnologywerestoleninFrance.In
May2011,abankinggroupnoticedthatthosestolen
cardswerebeingusedinBelgium,somethingthat
shouldhavebeenimpossiblewithoutthecardholders
inputtingtheirPINs.Thatswhenthepolicegotinvolved.

The first rule of zero-days is

no one talks about zerodays (so well explain)
Justasdefendersfindtheirfeet,lawmakers
movetooutlawsecurityresearchentirely.

Thepoliceobtainedtheinternationalmobilesubscriber
identity(IMSI)numberspresentatthelocationswhere
thecardswereusedandatthetimestheywereused,
andthentheycorrelatedthoseIMSInumberstoSIM
cards.
Usingthatinformation,thepolicewereabletoarresta
25yearoldwomancarryingalargenumberofcigarette
packsandscratchers,whichwereapparentlyintended
forresaleontheblackmarket.Afterherarrest,four
moremembersofthefraudringwereidentifiedand
arrested.Thatnumberincludedtheengineerwhowas
abletoputtogetherthechipcardhackingschemethat
agroupofFrenchresearcherscall"themost
sophisticatedsmartcardfraudencounteredtodate.

FEATURE STORY (4 PAGES)

WATCH ARS VIDEO

FUNcardXrayanalysis.(1)Externalmemory
(AT24C64)(2)Microcontroller(AT90S8515A)
(3)Connectionwires(4)Connectiongrid.
HoudaFerradi,RmiGraud,DavidNaccache,andAssia
Tria

25stolencards,specializedequipment,and5,000
(approximately$5,660)incashwasseized.Ultimately
policesaidabout600,000(or$680,000)wasstolenas
aresultofthecardfraudscheme,spanning7,000
transactionsusing40cards.
AstheUSisfinallybeginningitstransitionfrom
magneticstripecardstothesesocalledEMVcards,
interestedpartiesarewatchingEuropetoseehow
hackershavetakenadvantageofthesystemthere.
"ForgeryXrayanalysis.(5)Stolencards
Whilesmartcardsaresupposedtobemoreresistantto
module(6)Connectionwiresaddedbythe
fraudthanthemagneticstripecardstheUShasbeen
fraudster(7)Weldingsbythefraudster(only
using,thatdoesntmeantheyrehackproof.Infact,
threearepointedouthere)."
mostbanksintheUSarecurrentlyonlyrequiringa
HoudaFerradi,RmiGraud,DavidNaccache,andAssia
Tria
signaturefortransactionverification,ratherthanaPIN.
Clearly,asignatureismuchmoreeasilyforgedthana
PIN,butthefraudschemeinFranceandBelgium
showsthataPINspoofwaspossibleforatime,evenifEMVCo,theconsortiumthatmanagesthe
standard,saystheproblemsthatcreatedthehackhavenowbeenfixed.

Accepting any PIN

ResearchersfromFrancescoleNormaleSuprieureaswellastheCentreMicrolectroniquede
Provencewerecommissionedtodoaforensicanalysisontheevidencefromthe2011arrestsand
seizurestofigureouthowtheschemeworked.Theresearcherspublishedtheirpaperlast
week(PDF).

http://arstechnica.com/techpolicy/2015/10/howacriminalringdefeatedthesecurechipandpincreditcards/

Reviewing the Maxim 9

from SilencerCo
Arsfiresthecompany'sprototypeintegrally
suppressedpistol.

STAY IN THE KNOW WITH

LATEST NEWS
Supreme Court takes 1st
patent case of term, and
plaintiffs could benefit
HELLO,MACINTOSHCALLING!

Support scams that plagued Windows

users for years now target Mac
customers
HESAIDSHESAID

Reno Gazette-Journal says Tesla

Gigafactory guards accosted
journalists
EXPLORATIONS&MEDITATIONSONSCIFI

Homeland awkwardly tackles spy

1/4

10/20/2015

HowacriminalringdefeatedthesecurechipandPINcreditcards|ArsTechnica

tech again, this time with stingrays

APPLEV.NSA

Apple CEO Tim Cook blasts encryption

backdoors
HTC One A9 hands-on: A
midrange smartphone that
feels like a flagship

Fromtheresearchpaper:"ForgerysISOmodule.Red
arrowsshowgluetraces."
HoudaFerradi,RmiGraud,DavidNaccache,andAssiaTria

Thestolencardswerestillconsideredevidence,sotheresearcherscouldntdoafullteardownor
runanyteststhatwouldalterthedataonthecard,sotheyusedXrayscanstolookatwherethe
chipcardshadbeentamperedwith.Theyalsoanalyzedthewaythechipsdistributedelectricitywhen
inuseandusedreadonlyprogramstoseewhatinformationthecardssenttoaPointofSale(POS)
terminal.
Accordingtothepaper,thefraudsterswereabletoperformamaninthemiddleattackby
programmingasecondhobbyistchipcalledaFUNcardtoacceptanyPINentry,andsolderingthat
chipontothecardsoriginalchip.Thisincreasedthethicknessofthechipfrom0.4mmto0.7mm,
"makinginsertionintoaPoSsomewhatuneasybutperfectlyfeasible,theresearcherswrite.

"FalsecolorsXrayimageoftheforgery.Differentcolors
correspondtodifferentmaterials.Thestolenchipis
clearlyvisibleingreen,"theresearcherswrite.
HoudaFerradi,RmiGraud,DavidNaccache,andAssiaTria

ThehackerstookadvantageofthefactthatPINauthenticationwas,atleastatthetime,decoupled
fromtransactionverificationonEMVcardsinEurope.
TheresearchersexplainthatatypicalEMVtransactioninvolvesthreesteps:cardauthentication,
cardholderverification,andthentransactionauthorization.Duringatransactionusingoneofthe
alteredcards,theoriginalchipwasallowedtorespondwiththecardauthenticationasnormal.Then,
duringcardholderauthentication,thePOSsystemwouldaskforausersPIN,thethiefwould
respondwithanyPIN,andtheFUNcardwouldstepinandsendthePOSthecodeindicatingthatit
wasoktoproceedwiththetransactionbecausethePINcheckedout.Duringthefinaltransaction
authenticationphase,theFUNcardwouldrelaythetransactiondatabetweenthePOSandthe
originalchip,sendingtheissuingbankanauthorizationrequestcryptogramwhichthecardissuer
usestotellthePOSsystemwhethertoacceptthetransactionornot.

The new normal

Intheirpaper,theresearchersnotethattheforgedchip
cardslookedsimilartoaschemeputforwardin2010by
researchersatCambridgeUniversity.Atthetime,the

FURTHERREADING

http://arstechnica.com/techpolicy/2015/10/howacriminalringdefeatedthesecurechipandpincreditcards/

2/4

10/20/2015

HowacriminalringdefeatedthesecurechipandPINcreditcards|ArsTechnica

Cambridgeresearcherswereabletoshowthattheycould
completeatransactionusingasimilarmaninthemiddle
attack,buttheywerentabletogettheformfactordownto
creditcardsize.TheFrenchresearcherswhodidthe
forensicanalysisofthecardsnotedthat"producingthe
forgeryrequiredpatience,skillandcraftsmanship.

TODAY, ALL STORES IN THE US

SHOULD ACCEPT CHIP-AND-PIN
CARDS. YEAH, RIGHT.

ProfessorRossAnderson,oneoftheresearcherswho
contributedtotheCambridgeresearch,toldArsinane
mailthathedbeenfollowingthecaseforaboutthree
years,sincejustafterthemembersofthefraudringhad
beenarrested.Infact,hesaid,theexpertwitnessforthe
prosecutiondiscussedthecasewithhim,sohehashada
bitofaninsideview.

Liability shift is beginning of a very

protracted end for magnetic stripe
cards.

ButAndersondoesntthinkthattheengineerwhomadetheforgedcardsreliedontheresearchthat
heandhispartnersatCambridgedidatall."MyownsuspicionisthattheFrenchcriminalsworked
outtheattackindependently,AndersontoldArsinanemail."Iftheydidn't,somebodyelsedid!The
reasonwestartedourresearchwasthatpeoplecametousagainandagainclaimingthattheircards
hadbeenstolenandusedinstoretransactionswhichthebankssworeprovedthatthey'dbeen
negligentwiththeirPINs,whilethecustomerswerecertaintheycouldnothavebeen.
"Onceyoumeetanumberofsuchvictimswhoarecrediblewitnesses,itmakesyoustarttothink,
Andersonadded.
Thatsuggestsaconcerningdynamicbetweenthecardholderandthebankthatcouldbejarringfor
AmericanusersinthenearfutureifbanksseetheEMVstandardasimpervioustofraud,itwillbe
difficultorimpossibleforthecardholdertogetthebanktoacceptliabilityforlegitimatehacks.
ListingimagebyHoudaFerradi,RmiGraud,DavidNaccache,andAssiaTria

READER COMMENTS 112

MeganGeuss/MeganisastaffeditoratArsTechnica.Shewritesbreakingnewsandhasabackgroundinfact
checkingandresearch.

OLDER STORY

NEWER STORY

YOU MAY ALSO LIKE

http://arstechnica.com/techpolicy/2015/10/howacriminalringdefeatedthesecurechipandpincreditcards/

3/4

10/20/2015

HowacriminalringdefeatedthesecurechipandPINcreditcards|ArsTechnica

SITE LINKS

MORE READING

CONDE NAST SITES

AboutUs

RSSFeeds

Reddit

Advertisewithus

Newsletters

Wired

ContactUs
Reprints

VanityFair
VisitArsTechnicaUK

Style
Details

SUBSCRIPTIONS
SubscribetoArs

Visitoursistersites
Subscribetoamagazine

VIEW MOBILE SITE

2015CondNast.Allrightsreserved
UseofthisSiteconstitutesacceptanceofourUserAgreement(effective1/2/14)andPrivacyPolicy(effective1/2/14),andArsTechnicaAddendum(effective5/17/2012)
YourCaliforniaPrivacyRights
Thematerialonthissitemaynotbereproduced,distributed,transmitted,cachedorotherwiseused,exceptwiththepriorwrittenpermissionofCondNast.
AdChoices

http://arstechnica.com/techpolicy/2015/10/howacriminalringdefeatedthesecurechipandpincreditcards/

4/4