The EMV card comes with enhanced security features, but also with particular vulnerabilities. Since this type of credit cards has been utilized for a while in Europe and in other regions of the globe, the cyber-attackers have already developed various methods of bypassing the security features in order to access the accounts.
Chip and PIN cards are better protected than chip and signature cards, because the concept is actually featuring double authentication instead of single factor authentication – the user has to insert the card in the terminal and provide the required PIN number in the same time.
One of the documented methods of hacking an EMV card consists of tricking the system into believing the PIN number is valid, although it is not. This kind of fraud is particularly concerning for retailers, since the liability pertains to the banks now only for the ATM card operations. When fraudulently using cards online, the hackers cause financial losses that are to be supported by the retailers. The same retailers already supported 75% of the costs for EMV conversion, and there are yet another costs that might appear. It is estimated that Internet fraud will raise since there are no coordinated and efficient methods of preventing e-commerce fraud.
The FUNcard case
This case featured a method of hacking EMV cards. A small group of French citizens employed the method of spoofing the PIN verification method and thus got beyond the POS terminal verification system. They were apprehended in 2011/12, when GIE Cartes Bancaires noticed that a dozen France-emitted EMV cards accounted for money withdrawals in Belgium. The researchers analyzed their method using X-ray scans and discovered how the hackers exploited a protocol vulnerability flaw and took advantage of the communication system between the cards and the terminals.
When the protocol asked for the correct PIN, a fake chip placed on the authentic one managed to intercept the PIN query and transmit that the code entered was correct, despite being wrongly introduced. Both the real chip and the fake FUN chip were fixed back-to-back on a card that could easily be inserted into a terminal, although the tampered card was slightly thicker.
The paper detailing how the researches reverse-engineered the hack can be accessed here. The FUN cards were programmed with the help of specialized hardware. In conclusion, after studying the technique employed, the French researchers estimated that such miniature spy chips can in fact be employed in other fraudulent activities, such as eavesdropping mobile communications or in low-cost hardware security modules.
Although the banking industry previously dismissed the possibility of using a similar method in real attacks, the French hackers managed to steal almost the equivalent of 690 thousands U.S. dollars in 7000 transactions – buying and re-selling various merchandise.
The British proof-of-concept dating from 2009
Back in 2009/2010, Dr. Steven J. Murdoch of the Information Security Research Group of University College London published a paper together with two other contributors on this man-in-the-middle type of attack. The paper was entitled “Chip and PIN is broken”. Released under the aegis of Cambridge University Computer Laboratory, this was the proof-of-concept to be dismissed later by the UK Cards Association.
A BBC article from 2010 detailed how this kind of attack needed just a small kit in order to run the laptop controlled special software and intervene in the card-terminal communication. The attack worked on both credit and debit cards. The sophistication required for this type of attack was deemed low. Although the standard Cambridge procedure in such researches involves alerting the authorities and suggesting fixes before even publishing the paper, at the time, as we have already mentioned, the specialized decision factors did not believe such attacks were possible and therefore didn’t react.
The British study author himself analyzes in his post of 10/14/2015 the time-frame of: exposing the flaw for the first time – public reaction from the banking industry – hackers’ activity in France – French researchers reverse engineering and analyzing how were these attacks possible.
EMV card (chip and PIN card) flaw reactions
The reality of the French hackers using the same type of attacks gave rise to discussions on whose responsibility would be when it comes to adopting protection measures. Even if researchers prove the existence of flaws and even provide demonstrative exploits, if the banking industry does not take into consideration the informative material, who is to adopt measures?
Of course, the responsibility and liability burden is differently distributed in the U.S. and the retailers should know this best, or at least try to seek advice from those who are best informed on the subject. The risks exist and their materialization is not a negligible detail – even when fraud insurance covers hypothetical fraud cases.
An article from HelpNet Security mentions that EMVCo implemented countermeasures in order to ensure that no following exploitation of this type would be possible, without making these public. The lack of transparency is itself a protection method – the industry does not intend to offer clues to hackers for them to use in further attacks.
Still considered the safer type of banking card, the chip and PIN is safer than its relative – the chip and signature card, from the customers’ point of view. In what banks are concerned, once a card is broken into or stolen, the PIN-enabled version is –it appears- less safe for the financial institutions from the liability perspective: a PIN card can be used to retrieve money from the ATM, in which case the responsibility falls with the bank.
In conclusion, although not a hundred percent safe, the chip and PIN card still presents the highest cyber-security protection in what retailers and card owners are concerned.
