New Credit Cards(EMV) Hacked in France

EMV(Europay, MasterCard, Visa) is the standard with the pin and chip technology which the US has finally moved to on October 1st of this year.

Since EMV history and about https://www.emvco.com/about_emv.aspx

So it is good that we have gotten up to speed from our days of just mag stripe and pin number.  But since the standard has been here since the early 2000’s and in place in Europe for a while now, it should not be a surprise that a criminal found a way to hack the standard:

http://eprint.iacr.org/2015/963.pdf  is the paper by Houda Ferradi, Rémi Géraud, David Naccache, and Assia Tria

Which describe an attack using a MITM (Man In The Middle) attack on the EMV transaction:

A typical EMV transaction breaks down into three phases:
(1) card authentication,
(2) cardholder verification and
(3)transaction authorization.
this special chip (hobbyist chip) built to make the attack happen.
FUNchipasMITMforEMVtransaction
The FUN chip was built and placed on top of a stolen credit card.
FUNontopofstolencard
FUNCard-POSterminaldiagram
What happened was that the FUN chip was able to inject enough information (a ‘new’ PIN# and maybe other banking info) to steal money from banks and/or certain individuals.
They stole a bit under €600,000 with 40 cards.
My first thoughts were that this is yet another example of a sophisticated criminal attack. This type of attack was “fixed” by the banks and software companies in Europe, but I can see a much more sophisticated execution stealing more money and creating a big problem in the US.
What does it mean to liabilities for fraud in this scale? Who is at fault? Yes one can put the criminals behind bars, but what if this is a bit more grey…
We have to have methods to understand what is happening in our transactions quickly so  an investigation can shut a new attack down…
Just because we have Pin and Chip does not mean we are now safe.
Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.