The Rippleshot Data Breach Blog

The “Brief” History of Chip-Card Hacking

Written by Sid Khaitan | Aug 10, 2016 4:31:32 PM

Chip-card hacking has most likely been around longer than you think. Commonly known as the EMV standard, which represents the card network consortium of Europay, Mastercard, and Visa, the chip-based card technology has been widely adopted in virtually every global market (except for the U.S. until recently). EMV was born in 1994, when the three international payment systems sought to develop a global chip specification for payment systems, and the first production version was released in 1996. By embedding a secure chip into a plastic payment card, EMV technology enhances the overall security of debit/credit cards, overshadowing the effectiveness of the traditional magnetic stripe-and-swipe. In addition to replacing the outdated signature with a more secure PIN (personal identification number), the chip card utilizes cryptographic processing to create an ID that is unique to every transaction, as opposed to displaying sensitive account and payment information. However, the common misconception is that EMV is the “be all, end all” of payment security- this couldn’t be further from the truth. Find out how chip-card hacking has evolved from a replacement of internal hardware to sophisticated ATM shimming software as the Rippleshot Team explores the history of chip-card hacking.

2006: Humble Beginnings

The earliest documented origins of chip-card hacking trace back to May 2006, where petrol giant Shell was forced to suspend EMV payments in 600 UK gas stations after over EUR 1 million was drained out of customer accounts. In the wake of the attack, researchers from the Cambridge University Computer Laboratory, Saar Drimer and Steven J. Murdoch, demonstrated how the scheme may have been pulled off by manipulating the EMV terminal to play Tetris. Through this revelation, it became clear that an EMV terminal could be opened, its internal hardware replaced, and its exterior restored to original form with no evidence of tampering. Although the chip-and-pin terminal used was purchased on eBay and not approved in the U.K. for actual implementation, the conclusions remain the same- a fraudster could potentially alter any terminal to his will, without any salient difference to the customer.

2008: Hacking the manufacturing process

In October of 2008, European law-enforcement unraveled a highly sophisticated fraud scheme that successfully funnelled account data from hundreds of grocery store terminals to an organized crime syndicate in Lahore, Pakistan. After thorough examination, a miniature, high-tech “bug”- card with wireless communication technology- was found concealed beneath the motherboard. Through a series of three circuits, the card was able to copy the card details and PIN before encryption, package and store the data, and then “ship” or transmit it wirelessly to a computer in Pakistan. Hackers were able to insert the untraceable devices through a “supply chain attack” in China, where they are suspected of tampering with the devices during the manufacturing process, or doctoring them shortly upon release from the production line.

2011-2012: Evolving Sophistication

Believe it or not, of the card hacking schemes that have been revealed publicly, most have become increasingly complex, and in some instances, are taking years to discover. Throughout 2011 and 2012, five French citizens were arrested in connection to a fraud ring that spent over EUR 600,000 on stolen credit cards after circumventing chip-and-pin technology. Nevertheless, the technology used to compromise the credit card information was not fully understood until three years later. Dubbed as "the most sophisticated smart card fraud encountered to date", the man-in-the-middle (MITM) attack was discovered through X-ray analysis to contain a secondary chip implant that was fraudulently inserted by hackers. Through further investigation by the École Normale Supérieure and the Centre Microélectronique de Provence, forensic researchers found that the fraudulent chip was able to “listen” in on the POS query that takes place when the card and card reader communicate, and substitute a fraudulent PIN using a spoofing technology.

In EMVCo’s (the card network consortium that manages the EMV standard) defense, the study noted that the vulnerability has been fixed through the activation of a new authentication mode (Combined Data Authentication) and network level protections, which function as a second line of defense.

What happens in Vegas...

Most certainly does not stay in Vegas. It is broadcasted across the world.

In Black Hat USA 2016, an annual hacker conference in Las Vegas, cyber security consultants from Rapid7 and researchers with the NCR Corporation debuted two separate methods of bypassing EMV security protocols. Tod Beardsley, the Rapid7 security research manager who oversaw the hack, was able to trigger an ATM into spitting out hundreds of dollars in cash using a shimming device known as La-Cara, a $2,000 automated cash out machine that is placed in the card slot of an ATM. By eclipsing the auto PIN keyboard and flashable EMV card system and then taking a snapshot of the transaction data, the technology uses harvested card data downloaded by an internet-connected smartphone to recreate the compromised card, enabling cash withdrawals from virtually any ATM.

Although Rapid7 announced that it would not unveil specifics of the hacking process, they have alerted the vulnerability to ATM manufacturers and financial institutions, Beardsley told the BBC. However, according to the Register,  there have already been reports of shimming in the touristy areas of South America.

Unfortunately, the Rapid7 team was not the only one who found a way to bypass EMV. Researchers from the NCR Corporation demonstrated multiple ways of hacking “payment points of interaction”, like PIN pads, to get past chip-and-pin protections. They successfully implemented both passive and man-in-the-middle attacks to compromise key libraries and files on PIN pad devices, allowing them to capture card data including cardholder names, account numbers, card verification values (CVVs), and even PINs.

I don't know, you tell me!

Although the migration to EMV certainly has marginal benefits over magnetic stripe cards, it is clear that fraudsters will not shy away from the challenge of hacking chip-and-pin cards. As America continues its slow transition to EMV, sophisticated cybercrime rings will harvest what is left of the “low-hanging fruit”- magnetic stripe cards and compromised data from the past, and then quickly shift their attention towards breaking down EMV. It is important to note that an ulterior motive behind EMV implementation for card processors is that the roll-out also comes with a liability shift towards merchants, as processors have asserted that the technology is more secure, so if merchants do not take advantage of it, they should be the ones at fault. However, if there have been several documented instances of chip-card hacking, and even demonstrations of EMV bypassing at public conferences, is the argument still valid?

We’ll leave that to you to decide.

 

Did you know that Rippleshot’s signature card compromise detection tool, Sonar, can cover both CP and CNP fraud, and is portfolio agnostic?