Ever since the big Target hack in November, consumers and congress have been demanding immediate upgrade by all major retailers to a Chip and PIN EMV system where the customer must enter a four-digit code when they use their credit or debit card to conduct a transaction. Retailers and credit card processors have been dragging their feet because the implementation demanded a total investment of over 8 billion dollars. Now recent developments may have put the kibosh on rapid deployment of PEDs (PIN Entry Devices)
Two Cambridge researchers have devised a “man in the middle” hack strategy using a modified Chip and PIN terminal that enables attackers to bypass bankcard security measures. Saar Drimer and Steven Murdoch, members of the Cambridge University Computer Laboratory, revealed in January that they had customized a supposedly tamper-proof chip and PIN terminal to play Tetris. Now they have gone to the next level and developed a scheme where they can compromise a PED by relaying card information between a fake card and a genuine one.
The “man in the middle” technique involves having a separate card reader in a backpack. The crook uses a stolen credit or debit card to pay a bill, but then the second reader in his bag sends a “PIN OK” signal to the shop terminal. The shop terminal then sends back a transaction go-ahead signal to the terminal with the stolen card and money is taken from it.
In an even more sophisticated setup, the victim goes to pay their bill and enters their card details into a terminal that looks real, but has actually been tampered with. It is not connected to their bank, but to a laptop on the premises.
The terminal is completely under the control of a criminal, who has modified the hardware to relay the card information from his laptop to the laptop of an accomplice, for example in a jewelry shop across town. This laptop receives the information relayed from the legitimate card back in the restaurant, and is connected to a modified bankcard by an RFID chip which communicates wirelessly with the second crook’s laptop.
The victim places their card into the modified terminal in the restaurant and enters their PIN. The first crook texts their accomplice at the jeweler’s shop, and tells them to start the heist. The accomplice inserts the fake card into the jeweler’s terminal. All transactions from the jeweler’s terminal are then relayed via the fake card, laptops, and fake terminal to the legitimate card.
This links the jeweler’s terminal to the victim’s bank. As the criminal controls the terminal in the restaurant, they can make it display that the victim will pay $20, when in reality the victim is being charged $2,000 at the jeweler’s for a diamond ring. The scary part is that the criminal doesn’t need to hack into any systems or run any decryption, as data is simply being relayed from one terminal to another. The good news is that the bank would probably make up most of the loss.
Although Drimer and Murdoch haven’t released the details of how it works, the unstated caveat is that if they can do it, someone else can too. In some of my industry groups, this very subject has been the topic of bitter battles between those who demand instant Chip and PIN deployment and those who are voices in the wilderness crying out that massive EMV implementation is taking place too soon. I happen to think the naysayers are right.