Chip-and-PIN credit cards hacked easily, Black Hat conference proves

Tod Beardsley, senior security research manager for Rapid 7 displays a shimmer, a small device that can record and transmit credit card chip information during the 2016 Black Hat cyber-security conference in Las Vegas, Nevada, U.S.  © David Becker
The new credit card with a chip in it in your wallet ‒ touted as being less vulnerable than the old magnetic swipe version ‒ isn’t as safe as you think. Hackers at Black Hat proved once again the chip-and-PIN cards are not as impenetrable as they seem.

It only takes small modifications to equipment to bypass the chip-and-PIN protections and enable unauthorized payments, multiple researchers at the Black Hat convention in Las Vegas, Nevada demonstrated on Wednesday.

The new cards, which began rolling out in the US in October 2015, use technology ‒ called Europay, MasterCard and Visa (EMV) ‒ that has long been standard in Europe. It’s designed to prevent the duplication of cards and crack down on cards that have been stolen. The tech works by inserting the chip into a card reader, then entering a personal identification number, or PIN. However, in the US, the financial industry only requires a signature after the chip is read, which is less secure. Some retailers have ignored the new technology altogether, and just ask customers to swipe their chip cards, the same as a traditional credit or debit card. At Black Hat 2016, as in past conferences, hackers focused on the more secure chip-and-PIN requirements.

Hacking next-gen ATMS, from capture to cashout

A team from Rapid7, a cybersecurity consulting firm, made a mostly unmodified ATM spit out hundreds of dollars in cash.

“The modifications on the ATM are on the outside,”  Tod Beardsley, security research manager for Rapid7 and who oversaw the hack, told the BBC. "I don’t have to open it up. It’s really just a card that is capable of impersonating a chip. It’s not cloning."

The team used a shimmer device called La-Cara, a $2,000 automated cash out machine that works on current EMV ATMs that is placed in card slot of the cash-dispensing machine like a shim. It hides the auto PIN keyboard and the flashable EMV card system, takes a snapshot of the transaction data, then uses harvested card data ‒ downloaded by an internet-connected smartphone and used to essentially recreate that card ‒ to withdraw money from any ATM.

“This demonstration of the system can cash out around $20,000/$50,000 in 15 min. With these methods revealed we will be able to protect against similar types of attacks,” the Black Hat description of the briefing said.

Rapid7 would not reveal the specifics of the process they used, but has alerted the vulnerability to major ATM manufacturers and to banks, Beardsley told the BBC.

Such shimming devices are already in use in touristy areas of South America, The Register reported.

Breaking payment points of interaction

Also on Wednesday, Nir Valtman and Patrick Watson, researchers with NCR Corporation, demonstrated different ways of hacking "payment points of interaction," like PIN pads ‒ including those for chip-and-PIN cards. They used both passive and active man-in-the-middle attacks to replace key libraries and files on PIN pad devices, the key weakness of which is a lack of authentication.

Once the researchers placed their files on the PIN pads, they were able to capture both the card’s track data and its Card Verification Value (CVV), the three- or four-digit number on the back of the card. To get the PIN for an EMV card, they then used an active man-in-the-middle attack on the PIN pad by injecting a form that asks the cardholder to re-enter their PIN. It captured that vital information in plaintext form.

“If you see a screen that asks you to re-enter your PIN, take the card out and start a new transaction,” Valtman said during the presentation.

Their attack methods bypass the chip-and-PIN protections, thus allowing the use of stolen track data to create a cloned card that can be used in places that don’t support EMV technology or for online purchases.

“EMV doesn’t prevent you from using the card number elsewhere or prevent you from modifying the captured data offline,” Watson said.

Their methods do not work, however, if devices have point-to-point encryption enabled, and the pair recommends that manufacturers only use hardware-based encryption and only allow updates that are trust signed from the vendor itself.

“We need to make sure no one can downgrade the firmware or replace it,” Watson said. “Sometimes you can that with just a command. Then we can perform these same attacks.”

Previous chip-and-PIN hacks

It’s far from the first time Black Hat has featured hackers focused on the new credit card technology. At the 2011 conference, Inverse Path and Aperture Labs held a briefing entitled ‘Chip & PIN is definitely broken: Credit card skimming and PIN harvesting in an EMV world’. This group also used skimming to capture PINs entered at ATMs.

A year later, researchers for MWR InfoSecurity again exposed EMV vulnerabilities at Black Hat. That pair used specifically-built EMV cards that, when inserted into card readers, compromised PIN pads by inserting malware to capture data from cards that are subsequently inserted into that device, American Banker reported in 2012. The data was retrieved by a second fake card.

In 2014, AccessData’s Lucas Zaichkowsky mapped the sensitive data captured from PIN pad readers that accept chip cards the entire way through the electronics payment structure.