Flaw in New ‘Secure’ Credit Cards Would Let Hackers Steal $1M Per Card http://www.wired.com/2014/11/chip-n-pin-foreign-currency-vulnerability/
> As U.S. banks and retailers are barreling toward a 2015 deadline to replace > magnetic-stripe credit and debit cards with more secure cards that come > embedded with a microchip, researchers have announced a critical flaw in the > card system. > > According to researchers at Newcastle University in the UK, the card system > developed by VISA for use in the United Kingdom fails to recognize > transactions made in non-UK foreign currencies and can therefore be tricked > into approving any transaction up to 999,999.99. > > “All a criminal would need to do is set up somewhere like an airport or the > London underground where the use of different currencies would appear > legitimate.” > What’s more, because the cards allow for contactless transactions, wherein > consumers need only to have the card in the vicinity of a reader without > swiping it, a thief carrying a card reader designed to read a card that’s > stored in a wallet or purse could conduct fraudulent transactions without the > victim ever removing their card. > > Since the transaction is done offline without going through a retailer’s > point-of-sale system, no other security checks are done. > > “With just a mobile phone we created a POS terminal that could read a card > through a wallet,” Martin Emms, lead researcher of the project that uncovered > the flaw, noted in a statement about the findings. “All the checks are > carried out on the card rather than the terminal so at the point of > transaction, there is nothing to raise suspicions. By pre-setting the amount > you want to transfer, you can bump your mobile against someone’s pocket or > swipe your phone over a wallet left on a table and approve a transaction.” > > In tests the researchers conducted, transactions took less than a second to > be approved. > > Chip ‘n’ PIN cards, also known as EMV cards, are being rolled out in the > United States in an effort to undermine large-scale card breaches—such as > those at Target and other retailers—and skimming operations that allow > attackers to record the card number and PIN at readers in order to re-use > them for fraudulent purchases. > > EMV cards have an embedded microchip that authenticates the card as a > legitimate bank card to prevent hackers from embossing stolen card data onto > blank cards to use it for fraudulent transactions. The chip contains the same > data that traditionally is stored on a card’s magnetic stripe, but also has a > certificate used to digitally sign each transaction. Even if a thief steals > the card data, he can’t generate the code needed for a transaction without > the certificate. EMV cards are already implemented widely in Europe and > Canada. To pressure U.S. companies into installing card readers needed to > process EMV cards securely, VISA has announced a deadline of October 1, 2015. > Any company that doesn’t have EMV readers in place by then could face > liability for fraudulent transactions that occur with card data stolen from > them. > > But EMV cards don’t have to make contact with a reader to be used. They can > also be used for contactless transactions for speed. The EMV system in the UK > limits the maximum value for a contactless transaction to £20, requiring a > PIN for anything more than this. > > But the researchers found that the system doesn’t recognize foreign currency > transactions and therefore doesn’t require a PIN for these. > > “This lends itself to multiple attackers across the world collecting small > transactions of perhaps €200 at a time for a central rogue merchant who could > be located anywhere in the world,” Emms notes. “This previously undocumented > flaw around foreign currency, combined with the lack of POS terminal > authentication and the ease of skimming contactless credit cards, makes the > system more vulnerable to high-value attacks.” > > The researchers plan to present their findings this week at a ACM Conference > on Computer and Communications Security in Arizona. > > “It is not clear from reading the payment protocol how banks would deal with > the inconsistencies we have found through our research, hence we believe the > vulnerability poses a potential threat,” he said. “The fact that we can > by-pass the £20 limit makes this new hack potentially very scalable and > lucrative. All a criminal would need to do is set up somewhere like an > airport or the London underground where the use of different currencies would > appear legitimate.” -- Kim Holburn IT Network & Security Consultant T: +61 2 61402408 M: +61 404072753 mailto:[email protected] aim://kimholburn skype://kholburn - PGP Public Key on request _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
