Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

Fraudsters Stole $680,000 Via MitM Attack on EMV Cards

A team of French researchers have completed their analysis into the techniques of a criminal ring that in 2011 managed to steal $680,000 using modified EMV cards.

A team of French researchers have completed their analysis into the techniques of a criminal ring that in 2011 managed to steal $680,000 using modified EMV cards.

EMV (Europay, MasterCard, Visa) cards, also known as chip-and-PIN cards, have been used in Europe for many years and the United States is also transitioning to this technology as it’s considered more secure than the magnetic stripe technology that the country’s banks have been using.

EMV transactions are carried out in three phases: the card is authenticated, the cardholder is verified, and the transaction is authorized.

In the first phase, the point-of-sale (PoS) system determines which applications are supported by the card (e.g. debit, credit, ATM, loyalty). During the cardholder verification stage, the PoS asks the user to enter their PIN and transmits it to the card, which compares it and informs the PoS if it’s correct or not.

During the transaction authorization phase, amount, currency, date and other transaction details are sent to the card, which responds with an authorization request cryptogram that is sent to the card issuer. The issuer responds with an authorization request code that instructs the PoS on how the transaction should be handled.

In 2010, researchers at the University of Cambridge in the United Kingdom discovered a flaw that allowed criminals to use stolen chip-and-PIN cards without knowing their PIN. The attack relied on an electronic device that acted as a man-in-the-middle (MitM) designed to prevent the PIN verification message from getting to the card in the second phase of the transaction, and get it to always say that the entered PIN is correct. Researchers noted at the time that it would not be too difficult for criminals to miniaturize the MitM device that needed to be attached to the card.

The next year, a French banking group learned that a dozen EMV cards stolen in France had been used in Belgium. Since conducting fraudulent transactions using EMV cards should have been impossible, an investigation was launched.

Comparing the time and geographical location of the fraudulent transactions to the International Mobile Subscriber Identity (IMSI) numbers of SIM cards present near the crime scenes led investigators to a 25-year-old woman. Authorities later arrested other members of the gang, including the engineer who created the fake chip-and-PIN cards.

Advertisement. Scroll to continue reading.

The group is said to have stolen roughly €600,000 ($680,000) by conducting 7,000 transactions using 40 modified cards.

The French researchers tasked with analyzing the fake cards named this the “most sophisticated smart card fraud encountered to date.” In a paper published earlier this month, experts said the fraudsters used two chips, which they placed on top of each other, to conduct the attack.

The first chip was clipped from a genuine stolen card, while the second, which acted as the MitM device tasked with ensuring that the card would accept the PIN regardless of the PIN that was entered, was a FUN card, an open card used by hobbyists and for prototypes.

The two cards were wired to each other and embedded into the plastic body of a different card. Experts noted that creating the forgery required “patience, skill and craftsmanship.” While the resulting card was thicker than a regular card, it could still be inserted into a PoS device.

The cards created by the fraudsters were designed to let the chip from the genuine card conduct the card authentication and transaction authorization phases, while the cardholder verification step was hijacked by the second chip.

According to the researchers, such attacks are no longer possible thanks to the introduction of a new authentication mode dubbed “Combined Data Authentication” or CDA, and a series of network-level protections.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Cybercrime

A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Cybercrime

While there are likely many different approaches, here are a few points that are important for enterprises to consider when evaluating bot solutions.