Secure or Not? The “Improved” Chipped Credit Cards
Attackers have become rather resilient and tenacious over time. Vulnerabilities are noted and exploited by the attackers. This has, at this point, has become an academic venture. The target may note this from their SIEM alarm, other systems not working as anticipated, or a vendor mentioning there may be an issue. The vulnerability is addressed with a patch or other tool. The attackers notice this is no longer working and have their call to action to update or pivot their attack as needed, and deploy the modified attack on malware. This is then noted, patched, and the process starts again.
The credit card industry is no different. We are all exceptionally familiar with the standard physical manifestation of the credit card, with the magnetic stripe on the rear of the card. This form had been used throughout the planet. As a result of the mass usage, the attackers noticed the potential for theft. The fraud/theft associated with this began to grow as the number of counterfeited credit cards and fraudulent charges elapsed the critical mass for the industry to become exceptionally involved.
To alleviate the issue the chip and PIN method created and implemented. The added chip onto the credit card and allows for an additional layer of security. To defeat this, the attacker would also have to bypass the chip. This is being used more often as it pushed by the industry. At this time a majority of the credit cards have this. The intent with this has been to make the counterfeiting process more difficult. In theory this would decrease the credit cards as a target.
The credit card companies did not enjoy or appreciate the increased losses experienced. To decrease the loss potential from these cases of fraud, the credit card companies knew something had to be done. To work towards this goal, the credit card companies began to utilize their R&D. The addition was the chip seen in many of the cards. This was engineered to add security to the process. This added technology has been in use for years in non-US countries. With this in place, in theory, the fraudulent charges should decrease. This should create a fool-proof method to secure the credit card transactions.
In theory, there should be no further vulnerabilities. The credit card company has the card coded as requiring the chip with the specific data on the chip. If a card is presented and the data on the chip is not communicated, the transaction would be cancelled. The effect, in theory, is to exponentially increase the security. This has not been the case though.
There was an issue or oversight with the system as designed. The attack methodology was presented at the 2016 Black Hat conference. The method used to compromise the system was to encode the code on the magnetic strip on the card. The code on the cards appears to be the standard used by the Europay, MasterCard, and Visa (EMV) cards. In effect, the modified magnetic stripe code tricks the terminal into believing the card really does not have a chip. Within the code located in the magnetic stripe is an area that indicates the card has the chip. Usually, when the card is read, the stripe, if used, indicates there should be a chip and directs the user to place the chip end of the card into the reader. In this case, the attack toggles the code so this indicates there should not be a chip. The credit card is then accepted when it should not be.
Although this is curious in its own right, this issue continued with the issuing bank. The communication from the terminal is the card does not and should not have the chip, while the issuing bank’s system shows it should. The bank, although it appears to be a significant error, the bank’s system may still over-rule the issue.
In the alternative, the attackers could have directly attacked the chip. Although this would be a great scene in Mr. Robot, this attack would have taken much more time for the attacker to work on. Based on the chip and encryption, this may not be crack-able in several lifetimes.
This was such or significant issue, even the FBI took notice and became involved. The FBI Internet Crime Complaint Center publicly warned of the attack was viable. One aspect of security to apply to the situation would be end-to-end encryption. This service is not free, but would act as an added service. Although not free, this would provide savings in that potential fraud would decrease. With the potential fraud, measuring this could be an issue, as there is not an actual number compare against. One measure could be the baseline amount adjusted for inflation. With whichever method chosen, this would be the better alternative as compared to the opportunity for the fraud to continue and grow.
Aol.com Editors. (2016, August 4). Researchers find security flaw with chip-based credit cards. Retrieved from http://www.aol.com/article/2016/08/04/researchers-find-security-flaw-with-chip-based-credit-cards/21444927/
Bond, M., Choudary, O. Murdocy, S.J., Skorobogatov, S., & Anderson, R. (2014, May). IEEE Symposium on Security and Privacy; San Jose, CA. Retrieved from http://sec.CS.uclac.uk/users/smurdoch/papers/oakland14chipandskim.pdf
Brandon, R. (2015, October 9). The FBI warns of weaknesses in chip-and-sign credit card systems. Retrieved from http://www.theverge.com/2016/10/0/9486715/fbi-vulnerability-chip-credit-card
CNN Wire. (2016, August 3). Researchers find new security flaw in chip-based credit cards. Retrieved from http://wtvv.com/2016/08/03/researchers-find-new-security-flaw-in-chip-based-credit-cards/
Eddy, M. (n.d.). Black hat demo cracks chip-n-PIN. Retrieved from http://www.pcmag.com/news/346753/black-hat-demo-cracks-chip-and-pin
Murdoch, S.J., Drimer, S., Anderson, R., & Bond, M. (2010). Chip and PIN is broken. 2010 IEEE Symposium on Security and Privacy. doi:10.1109/SP.2010.22. Retrieved from https://www.cl.com/ac.uk/resdearch/security/banking/nopin/oakland10chipbroken.pdf
Zetter, K. (2014, November 3). Flaw in new ‘secure’ credit cards would let hackers steal $1M per card. Retrieved from https://www.wired.com/2014/11/chip-n-pin-foreign-currency-vulnerability/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!