Hackers Crack Chip-and-PIN for Real!

Hasnain
November 11, 2015

 

The chip-and-PIN ATM card technology is not really new anymore as it has been in use in the UK since 2003 and recently the US has been adopting it. It has many advantages over the older magnetic stripe such as it being more secure and it’s not damaged by magnetic fields. Hackers are always out and about trying to crack security systems but it’s easier said than done hence it has been in use since a long time and only now and it has been compromised as well and now they can hack the system and steal your cash. It’s not as easy as on a magnetic stripe card but it’s still very much possible with the right technique and tools. So far theoretically it was impossible because the security protocols encrypted data much more securely as compared to a magnetic stripe card which holds all the data on the magnetic stripe on the back of the card.

US adopted this new system because it would improve the security for the customers, merchants and financial institutions. This is true, but the problem is that when the market pushes in one direction, in this case the adoption of the chip-and-PIN technology, crooks exploit to ways to compromise it.

A new “shimmer” was found, that can be inserted directly in the mouth of the ATM card receptacle, between the chip of the user’s card and the chip reader in the ATM, making possible to record the data from the card while the ATM is reading it. It is fast as it works on dip readers as well (the kind of card reader that requires you to briefly insert your card and then quickly remove it) The device is inserted from the outside of the ATM and no access is required to the ATM internals. Together with a hidden camera and/or a fake PIN keyboard, this can be a deadly combo to steal money.

Using X-Ray scan and other microscopic scans, the researchers figured out that the criminals actually inserted a second chip onto stolen chip-and-PIN cards, enabling them to duplicate the PIN verification on many registers’ point-of-sale (POS) terminal.

The fake chip, known as a FUNcard, enabled the thieves to carry out a Man In The Middle attack, which involves intercepting communications on the point-of-sale (POS) terminal. When a shopper inserts his or her card into a POS terminal, the terminal automatically tries to verify its authenticity. In this case, the FUNcard is waiting with its own, fake “Yes” signal when the authenticity check arrived.The attacker intercepts the PIN query and replies that it’s correct, whatever the code is.

Until 2011, the concept of spoofing the PIN on a chip-and-PIN card was largely theoretical. A group of Cambridge University researchers discovered similar flaws, but this crime ring appears to have been the first time the trick has been practically implemented. Malicious software used on ATMs in Russia and Europe has also broken through chip-and-PIN safeguards, allowing thieves to drain ATMs of cash in at least one case as reported by several news outlets.

We think this was coming, as we mentioned earlier than any man-made technology has the risk of being reverse-engineered, manipulated or hacked in some way sooner or later. We hope that the companies responsible for ATM security protocols devise better safeguards and close any loopholes to avoid huge monetary losses in the future.

It is also pertinent to mention here that this new technology is now also being introduced in the Pakistani market. Banks like UBL, HBL and Faysal Bank are now offering these new chip based cards. However chip-and-PIN technology might totally not be implemented in its true form because the banks have still not implemented the PIN codes and customers still have to manually sign their receipts. The Government  is considering a regulation to enforce banks to move from magnetic stripe to Chip-and-PIN within 3 years however this might get delayed as we don’t have any data for ATM fraud yet because no bank publishes it as well as the fact that Chip-and-PIN cards are more expensive than the current magnetic stripe ones. Even though this newer technology has been compromised we feel that it should be definitely implemented in Pakistan soon.

 

 

Like it, share
  •  
  •  
  •  
  •  
  •  
  •