Crooks stole €600,000 in MitM attacks on EMV Cards

A group of French researchers discovered how Fraudsters Stole nearly $680,000 Via MitM Attack on EMV Cards.

On October 1st, EMV (Europay, MasterCard, Visa) cards have been introduced in the US to improve the security of payment card holders. EMV cards, also known as chip-and-PIN cards, rely on a cryptographic chip to improve security of banking transaction and avoid frauds. The EMV technology has been used in Europe for many years, each transaction is composed of three phases, the card authentication, the cardholder verification, and the authorization of the transaction.

In the first phase, the PoS system determines which applications are supported by the card (e.g. Debit, credit, ATM, loyalty), in the next cardholder verification phase, the PoS verifies the cardholder by requesting the PIN and transmits it to the card.

In the transaction authorization phase, the transaction data is sent to the card (i.e. amount, currency, date and other transaction details). The card responds with an authorization request cryptogram that is sent to the card issuer that responds with an authorization request code that instructs the PoS on how the transaction should be handled.

Are EMV cards totally secure?

In 2010, a group of researchers at the University of Cambridge discovered a vulnerability flaw that allowed crooks to use stolen chip-and-PIN cards without knowing the associated PIN.

They explained that the vulnerability was triggered by using an electronic device that acted as a man-in-the-middle (MitM). The device was used to prevent the PIN verification message from getting to the card in the second phase of the transaction and emulating the same behavior for successful PIN submission.

The team of researchers also explained that it would be possible to miniaturize the MitM device making it possible to attach it to the card. The experts admitted this was the “most sophisticated smart card fraud encountered to date.”

In subsequent years, the security experts observed that many EMV cards stolen in France had been fraudulently used in Belgium.

The investigators analyzed the mobile devices present in the nearby of the places where the cards were used and discovered in all the cases that a 25-year-old woman was present. Law enforcement arrested the woman and later her accomplices.

Among the member arrested by the authorities, there was also the mind of the organization, the engineer who created the fake chip-and-PIN cards.

According to the law enforcement, the cyber gang has conducted nearly 7,000 transactions using 40 modified cards. Fraudsters stole €600,000 ($680,000) with the technique uncovered by the researchers.

A group of researchers from France’s École Normale Supérieure as well as the Centre Microélectronique de Provence made a forensic analysis of the evidence from the 2011 arrests and to analyze the attack method implemented by fraudsters.

As a result of their work, this month the researchers published a detailed analysis of the attack scheme.

In a paper published earlier this month, experts said the fraudsters used two chip stacked to run the attack. The first chip was the legitimate one clipped from the stolen EMV card, while the second was used as the MitM device. This second card was a FUN card that accepts any submitted PIN, even if it is incorrect.

The chip from the genuine card was used to conduct the card authentication and transaction authorization phases, while the cardholder verification step was hijacked by the FUN chip.

The two stacked chips were embedded into a new plastic card, but it could still be inserted into a PoS reader.

Is the attack still feasible?

The researchers explained that the attack is no more feasible due to the introduction of a new authentication mode dubbed “Combined Data Authentication” or CDA, and other network-level protections.

Pierluigi Paganini

(Security Affairs – EVM card, cybercrime)