Forensic Analysis of Smart Card Fraud

This paper describes what is almost certainly the most sophisticated chip-and-pin credit card fraud to date.

News article. BoingBoing post.

Posted on October 23, 2015 at 6:58 AM • 23 Comments

Comments

ramriotOctober 23, 2015 7:13 AM

This whole hack follows an adage a friend of mine coined: "Hacks never get worse" in that in 2010, researches showed that this was possible using a backpack full of electronics and a wired up smart card.

Which is what the banks used to poo-poo the practicality of the hack, and thus do nothing to mitigate it. Today the same thing is possible in a form factor that looks just like the original card all be it just 0.3mm thicker.

GweihirOctober 23, 2015 7:25 AM

Nice hardware hack. Not too difficult.

I would probably have tried to set the original chip deeper into the card to prevent the bump that putting the second one on top created. There is not a lot of vertical space though, so I am not sure that is possible. As to the "specialized equipment", all of that you should be able to build yourself from purchases that do not look suspicious. If you do not mind having to do several slow tries, you can do a spot-welder for fine copper or gold wire with engraving cutters and a Dremel drill and stand, for example.

Of course, carrying a switched-on cellphone while being anywhere near the place the card was used is a bad beginner's mistake. All data they can get their hands on is retained these days, and usually not for actually acceptable reasons like catching fraudsters as was done here.

Question:
These FUN cards sound like pretty nice toys. Does anybody know where you can get them in small numbers?

PiperOctober 23, 2015 8:03 AM

The take-away for me is this: when perpetrating credit card fraud, leave your phone at home.

ianfOctober 23, 2015 8:07 AM

Assuming the cards have been reported as stolen, thus invalidated by the issuers, how was it even possible they would be accepted for cash withdrawal in ATMs?

Even so, I assume the nominal owners of these stolen/ reported cards can not be held accountable for the losses. The ArsTechnica article reports that several people were swindled while their own cards rested in their pockets and/or the PINs were not divulged. So were the cards cloned from start to finish?

In view of the above, it appears to be a good cautionary tactic to never pay for anything using PIN above a certain value level, only use manual ID or passport in such cases as this will leave traces of a 2nd-factor authentication. Then one can point back at the credit card purchase history, and show that one does not buy ANYTHING using the PIN outside, say, the 2-3 grocery stores in the area… a powerful argument that one HAS BEEN defrauded, and is not trying to shift the blame onto some to the bank unknown 3rd party.

keinerOctober 23, 2015 8:41 AM

@ianf have fun arguing with your bank!

My credit card has been charged fraudulently by a company after I put the card into the reader, did not provide the PIN or my ID card. Transaction was terminated, but they charged me anyway... Was corrected after some discussion, nearly one year later, same shop (had never been there again) again charged my credit card, they had never seen the card again in the meantime.

This whole system is so f*cked up beyond all repair. Cash. Nothing else, whenever possible.

@Pin_ChipperOctober 23, 2015 8:49 AM

Not mentioned in article are two additional exploits: 1) collection of real crytograms for use later at devices where random number can be predicted and 2) back end switch of transaction details which customer unwittingly authenticates.
Both cases keep card in customer's possession with no indication of fraud until next transaction is attempted. CPP analysis may catch some of these, however a remote breach makes this attack almost impossible to trace.

StephOctober 23, 2015 11:30 AM

@ianf these were not used to obtain cash directly from ATMs/cashpoints, but to buy low-value easily-resellable items like lottery tickets. The card was hacked to tell the reader "no need to contact the bank to see if the card is valid".

rOctober 23, 2015 12:24 PM

I think 'CHIP and PIN' may be an inadequate description if this is right, maybe it should be referred to as 'PIN on CHIP'.

?

tyrOctober 23, 2015 2:00 PM


I remember reading something recently from a merchant
who used to do IT that the US implementation of chip
and pin was broken by leaving out one of its parts.
He also said the banks had shifted the burden onto
the merchant when they accepted a bad transaction.

Taken together it seemed like bad ideas all around.

Anonymous CowOctober 23, 2015 2:41 PM

...the banks had shifted the burden onto
the merchant when they accepted a bad transaction...

Merchants have always absorbed the financial burden. When an issuing bank receives a protest US law requires the cardholder be credited while the investigation occurs. The bank can always restore the charge later. The bank in turn issues a chargeback to the merchant; now the merchant must provide what evidence it can about the original charge. Even if the bank agrees with the merchant and returns the charge the merchant is out the chargeback fee, along with the original processing fee.

The merchant also has the labor expense of gathering the evidence. Because of how US law is worded a merchant might not get a chargeback notice until four months after the transaction.

LessThanObviousOctober 23, 2015 3:43 PM

@r I think where it gets hosed up is that the issuing banks want the consumer to be able to do transactions in an offline mode, so they don't make the authentication exclusively network dependent. There are probably things that could be done to make the card validation better even given that context.

John MacdonaldOctober 23, 2015 3:48 PM

The burden was historically on the merchant to decide whether to accept the form of payment offered by the customer. Counterfeit money or bad cheques required the merchant to try to find and prosecute the customer who had cheated them in an attempt to recover their loss.

Now, whether a credit card payment *should* fall into this category is debatable. The credit card company controls the tools that can (sometimes incorrectly) validate the card; but the merchant is the one capable of making visual observation and detecting any "hinky" behaviour (if any and if it actually relates to the validity of the transaction). I think the credit card company ought to shoulder more of the responsibility, but I also suspect that the frequency/cost of bad transactions from credit cards is lower than bad checks, so it is still advantageous for merchants to accept that responsibility unless they are willing to restrict their clientele to cash only.

rOctober 23, 2015 4:03 PM

@LessThanObvious,

I concur, this seems rather suspect if this is the direction payment systems are moving in respect to EMV. Although I don't have any formal training in anything remotely connected to this stuff I AM an American consumer: AND my current level of understanding of the outbound-magstripe system required network verification as credit card machines could be "down" for various reasons including weather.

I suppose though this could be related to batch processing of transactions instead of timely verification processes.

Why? is most certainly the question of the day... maybe the network protocol in non-batch mode is capable of being MiTM'd like this too???

rOctober 23, 2015 4:09 PM

@LessThanObvious,

Also, assuming the entered pin is not transmitted plaintext -- is copying a pin off-wire feasible like the way WPS[1.0?] is vulnerable?

Scary shit, maybe I should get into the maker movement and take a page from you hardware/security engineers and try my hand at POS development. It's pretty lucrative isn't it?

ianfOctober 26, 2015 11:15 AM


Thanks, Thoth, but… askg.info has certificate problems (bad web! bad!); and also you need to add a concise 1 paragraph abstract at the top explaining what the paper illuminates and/or proposes. Mere title

Suggestions for Secure Smart Card Engineering (Part 1 - Secure Channel Protocol)

is much too barebones to be enlightening.

Finally, it wouldn't hurt to add a few-line mobile CSS declarations or a file, and a viewport trigger for it. Small things but oh so telling.

ianfOctober 26, 2015 1:50 PM


@ Steph[the hacked chip cards] were not used to obtain cash directly from ATMs/ cashpoints, but to buy low-value easy resale items like lottery tickets. The card was hacked to tell the reader "no need to contact the bank to see if the card is valid".

I see, being used in POS (point of sale) terminals (presumably of a specific brand and/or model) to buy sizable quantities of lottery (scratch?) tickets over the counter. But it still doesn't add up to the €680k or whatever the # fraud – that'd have been lorry loads of tickets suddenly being in demand in given places. Rule #1 of crime: don't draw attention to yourself during execution and goods disposal.

Similarly with buying low-value items for resale: you can't buy too many such at the same point, or it will stand out in the online accounting dept., raise an eyebrow, and become trail of evidentiary. Thus "liquifying" ill-gotten small gains in this fashion would most probably take far too long for it to be of use. Doesn't.Add.Up.

In early 90s a particular crime manifested itself in NYC: illicit resale of stolen long-distance telephone minutes. A guy would accost you by the public telephone banks in Grand Central Station/ equivalent, and offer favorable rates to many far-away countries. If game, he'd pocket the charge, punch in his secret access code for agreed-upon # of minutes, then you dialed the foreign number while he stood by until it answered and then he vanished (or gave your money back). I think it took the telephone company 2 weeks to discover the scam, then the police another 2 to wind it up. Now it'd take them 2 days. I haven't heard of any repeats of it elsewhere in the world, so presumably such tele-accounting holes have been plugged up.


@ keiner […] “have fun arguing with your bank!

Sad stuff, but believe me that in this locality, my bank slash mortgage lender doesn't automatically see me as an enemy, and the legal praxis (jurisprudence) doesn't follow the American punitive approach to conflicts between individuals and commercial entities. I am not saying that miscarriages of justice never happen here, but, if the bank (or the card issuer) charges me for some unknown transaction (and any such above ~$3000 needs to be notified in advance), and I write them back denying all knowledge of it, they have to report it to the police as either scam or fraud attempt. Even should they persist in trying to pin it on me after the police clear me, they'd first have to take me to court, where the burden of proof is on them… all I'd have to do is declare that I didn't do it, and present my financial withdrawal pattern history (in graver cases assisted by Legal Aid defense attorney). I read more of people who've been spending freely in the Far East, and suddenly found their credit cards cancelled, than of card frauds against small-fry individuals. When large scale card fraud happens, it usually affects groups of somehow (if hitherto unknowingly) connected people, which in due time provides evidence of them being victims of ID-hijacking, rather than the perps in question.


This whole system is so f*cked up beyond all repair. Cash. Nothing else, whenever possible.

Cash in pocket is an incentive to street robbery (as is waving jewelry, flashy clocks, and smartphones around), which would always be more debilitating than becoming a victim of card fraud, where there usually is a recourse. Also cards provide other benefits, like automagic travel insurance for up to 60 days etc. I no longer stop by an ATM, because when I need some cash in hand, I get it on the card from the till in a major retailer's store [doesn't cost me an iota]. This is the S.O.C.I.A.L.I.S.M that your parents been warning you against! ;-))

ThothOctober 26, 2015 7:04 PM

@ianf
The website is self-signed by myself so if you want the checksum hash I can put it here. Not gonna trust CAs to do verification for me.

The topic is not really a "paper" I intend to write but a lis of oroblems and my view of potential solutions I think will help with smart cars security.

I am not bothering for CSS and complexity so that anyone can verify it's HTML 3.2 in case of inflitration and spreading of rich media exploits. There will not be rich media or additional stuff that will make it hard to proof the HTML syntax. It is part of the website's self-protection mechanism to be barebones simple for viewinf HTML by humans to detect problems.

Part 2 and probably part 3 will take some time to write.

ianfOctober 27, 2015 3:35 PM


ADMINISTRIVIA OF INTEREST TO @Thoth ONLY, OTHERS IGNORE

you misunderstood me. The askg.info domain is invalid in DNS tables; and/or lacks some web certificate which made my (mainstream) ISP's server inquire explicitly if I wanted to proceed. Neither I, nor anyone else should have, as you suggest, go through a hashed checksum validation phase to read "some text."

Try to access the paper from a smartphone to see how unreadable it appears at a first glance - that's why I suggested rudimentary changes to make it conform to other displays than your default *top monitor one. Use of CSS formatting does not make the hypertext file into a rich text one. Besides, your HTML doesn't validate at any level that I tried, so it's already full of potential holes for presumptive attackers:

(1) Unable to parse any HTML input. peer not authenticated
http://www.freeformatter.com/html-validator.html

(2) lots of errors in non-DTD-based validator
http://validator.w3.org/nu/?doc=https%3A%2F%2Faskg.info%2Fitem%2Fsuggest-sec-sc-1.html

(3) lots of silly errors
http://www.htmlhelp.com/cgi-bin/validate.cgi?url=https%3A%2F%2Faskg.info%2Fitem%2Fsuggest-sec-sc-1.html&warnings=yes

(4) Sorry! This document cannot be checked.
I got the following unexpected response when trying to retrieve <https://askg.info/item/suggest-sec-sc-1.html>:

500 Can't connect to askg.info:443
https://validator.w3.org/check?uri=https%3A%2F%2Faskg.info%2Fitem%2Fsuggest-sec-sc-1.html&charset=%28detect+automatically%29&doctype=Inline&group=0

(5) squish.net DNS comprehensive traversal checker
1 error prohibited this traverse from being saved
There were problems with the following fields:

Domain name is invalid
http://dns.squish.net/traverses/create_anon

When you've fixed it, I'll read it… then may have some questions about card security.

ianfDecember 17, 2015 7:25 PM


[…] I don’t know why i am posting this here, i just felt this might help those of us in need of financial stability. blank Atm has really change my life

You DON'T know WHY? Let me dispel your uncertainty: because you're a federal agent of low enough pay grade and seniority to fall for this in-agency ploy on how you can reach your quarterly target of catching so-and-so many manufactured criminals, i.e. idiots who will fall for this type of overt get-rich-quick sting-op honeypot.

And you know what…? I'd be in favor of that if your lot would for once do something Darwin Awards-worthy with those gits, rather than simply incarcerate them to no avail, while congratulating yourselves of winning another small victory in this your ongoing, yet somehow never won, War on Cyber- or other crime. This explanation simple-English enough for you, even if not really in line with what you could show to your superiors?

Bong-Smoking Primitive Monkey-Brained ZombiDecember 17, 2015 7:52 PM

@ianf,

because you're a federal agent of low enough pay grade and seniority to fall for this in-agency ploy on how you can reach your quarterly target

Fu*k! I just bought 20 cards from the spook :(

WaelFebruary 24, 2016 8:07 PM

Do you also reload any other card not from this croned cards?

Anyone wants to guess the nationality of this wise ass? :)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.