This article excerpt, written by Andy Greenberg, originally appeared here: http://ow.ly/TCT3s
THE CHIP-ENABLED CREDIT card system long used in Europe, a watered down version of which is rolling out for the first time in America, is meant to create a double check against fraud. In a so-called “chip-and-PIN” system, a would-be thief has to both steal a victim’s chip-enabled card and be able to enter the victim’s PIN. But French forensics researchers have dissected a real-world case in which criminals outsmarted that system with a seamless chip-switching trick—and pulled off the feat with a slip of plastic that’s almost indistinguishable from a normal credit card.
The French fraudsters took advantage of a long-known but theoretical vulnerability in chip-and-PIN systems to execute what the researchers describe as a “man-in-the-middle” attack that takes advantage of how cards and card readers communicate. When a buyer inserts his or her card and enters a PIN, the card reader queries the card’s chip as to whether the PIN is correct. A fraudulent chip can listen for that query and pre-empt the real chip with its own answer: a “yes” signal regardless of whatever random PIN the fraudster has entered. “The attacker intercepts the PIN query and replies that it’s correct, whatever the code is,” says ENS researcher Rémi Géraud. “That’s the core of the attack.”
The ENS and CEA forensic researchers note that the vulnerabilities used by the French fraud they analyzed have since been fixed—at least in Europe—though they declined to fully detail the new security measures. EMVCo, the consortium responsible for the chip-and-PIN standard, didn’t respond to WIRED’s request for comment. Nonetheless, cases like the French PIN-spoofing attack show that motivated criminals were able to defeat what EMVCo long considered an unassailable system.
