Uh-Oh. Chip-And-PIN Hack Tactic Discovered

Amid the EMV switchover in the United States, a surprising hack has emerged that might give the system’s champions some pause.

As reported by Wired, French forensics researchers have shown an instance where criminals have worked through the chip-and-PIN system, using what the site called a “chip-switching trick” and a piece of plastic mimicking a credit card. Those researchers, at both the École Normale Supérieure university and the science and technology institute CEA, noted that five unnamed French citizens were arrested in 2011 and 2012. They spent about €600,000 on stolen credit cards after being able to circumvent the chip-and-PIN protections.

Using forensic techniques, the researchers found that the alleged thieves actually were able to alter the stolen cards, implanting a second chip inside of them and thus enabling a “spoof” at the POS terminals.

The fraudulent chip was able to “listen” for the query that takes place at the POS when a card and card reader communicate with one another and substitute a fraudulent PIN in place of the authentic one.

[bctt tweet=”The fraudulent chip was able to “listen” for the query that takes place at the POS.”]

The French tricksters built 40 PIN spoofs from credit cards that were stolen in France, using the POS thefts to buy lottery tickets and cigarettes, among other items, across more than 7,000 transactions.

But perhaps there’s no cause for alarm quite yet. The forensics paper noted that the vulnerabilities that dated back to the paper’s discussion in 2011 and 2012 have been fixed. Among the tactics used to specifically combat that fraud, some chip-and-PIN readers mandate that a PIN be verified even before it is entered by a user and also check to see if there is a spoofed signal being used.

To check out what else is HOT in the world of payments, click here.