Tuesday, October 20, 2015

Card hack in Europe exposed

This being Cybersecurity awareness month, I thought I'd discuss an interesting hardware hack that just came to light. 

As you may know, US credit card companies and banks have begun issuing cards with embedded chips in them. Scanners that require a PIN basically compare the PIN that the user enters to the PIN on the card and, if they match, the system accepts the user's credentials and allows the transaction to occur.

A European hack hat occurred a couple of years ago has recently been described that allowed criminals to extract ~$700,000 from European businesses using stolen cards. 

Here's how they did it. They soldered a chip onto the existing one that simply indicated to the scanner that whatever the user keyed in as his PIN was correct. The card was a little thicker than most, but it fooled retailers. The perpetrators were caught when investigators noticed a pattern in the places where the cards were used.

The method they used is detailed in this fascinating paper published by the École Normale Supérieure university in Paris: http://eprint.iacr.org/2015/963.pdf 

They've changed their system so that the scanners now test for this kind of signal before even asking for the PIN. (I assume that the new system rolled out in the US has this bug fixed as well…)

Where there's money to be made, criminals will find a way.

No comments:

Post a Comment