Those Chip and PIN cards aren't as secure as we thought

Chip and PIN cards and readers are finally rolling out in the United States. Unlike traditional magnetic cards that use static information to make a transaction, pieces of plastic, based on a standard by Europay, MasterCard and Visa, create a new key with each purchase. That should make purchases or withdrawals more secure since the information is only valid for 60 seconds. As it turns out, according to Rapid7 security firm researcher Weston Hecker, a lot can happen in that minute.

At last week’s Def Con security conference, Hecker onstrated how an ATM machine or point-of-sale (POS) terminal can be used to intercept that one-time-use key and other information about the card. That data is then transmitted to another device (in this case another cash machine), which makes a second transaction, such as withdrawing money from your account.

It’s an ingenious proof of concept. But, it requires that at least two devices be compromised. First the target POS or ATM need a piece of hardware installed that reads the card’s chip. This process is called “shimming.” (Doing the same hack with a magnetic card is called “skimming.”) Once the data has been captured, its transmitted to a legitimate ATM that’s been hijacked.


This payout cash machine would be outfitted with a system Hecker calls La-Cara. What it does is trick the ATM into believing the physical card is being dipped then a robot hand enters the PIN. The machine withdraws the maximum amount allowed by the card and — for a while at least — the victim is none the wiser.

Of course an ATM with a robot hand would arouse suspicion. But Hecker realized that if you just put a facade and “out of order” sign on a machine, no one gives it a second look. In fact, there was a cash machine near his house with an “out of order” sign that sat undisturbed for days. When he called the bank, they were unaware the machine wasn’t working.

The big payout would be when shimmers are installed on multiple machines that all transmit to a single hijacked ATM. That hijacked machine will collect and dispense all the cash so whenever the thieves are ready to collect, they just roll up, grab the La-Cara system and cash, and leave. If that ATM is compromised, they just put the facade on another machine in another location and start collecting data (and cash) again.

Hecker spent a year analyzing ATM machines and banking systems to come up with this attack. While the thieves (also called “carders”) are currently still using skimmers to fill their pockets, it’s unlikely they’ll turn away from a life of crime once Chip and PIN cards are the only way to get to your cash.

The presentation was meant to be a wake up call for the banking and ATM systems. There’s a window between now and when a majority of the cash machined become EMV compliant. In that time he hopes that the private owned ATMs are upgraded with foreign device detection and that the time it takes to complete a transaction is reduced from 60 seconds. “That’s one of the biggest defenses,” he told Engadget.

This type of attack probably won’t happen in the next few months, Hecker said he doesn’t expect to see this type of system in the wild until about October 2018. But unless that 60-second gap is closed or made more secure, in the future this will be a problem that affects us all.

Source: Engadget - Read the full article here

Author: Daily Tech Whip

This article is part of our 'News Tiles' service. The site is currently in Beta. When it is fully operational you will be able to search through and arrange the 'Tiles' to display a keyword, product or technology over your chosen time period. For example you would be able to display all of the leading tech articles on the new Kindle Fire, in one spot in real time. You will also have access to our own original reporting and analysis as well as a polished place to post your own thoughts & reviews here, amongst the Daily Tech Whip Community. Please let us know if you have any feedback via the contact form or via Twitter. Don't forget to come back next week and see our full site and claim your name and your own free tech blog.

Share This Post On