Criminals in France have managed to ‘hack' chip and pin in a surprisingly simple scheme, according to Wired.
Although chip and pin is a system designed to provide two levels of security to financial transactions, first, the possession of the card itself and then the entry of the pin, this simple technique bypasses the pin and allows the would-be conman to type in any pin they like and have it approved.
By meddling with a stolen chipped cards, criminals can bypass the pin system. A group of French criminals did exactly that, and by stealing 40 credit cards and altering them they were able to make 7,000 transaction and steal nearly £450,000 . They were eventually caught in the act and the five criminals were arrested in 2011 after authorities found their spending patterns of shopping at the same Belgian stores, buying large amounts of cigarettes and lottery tickets.
This kind of fraud, or at least the ability to carry it out, has been documented twice in academic literature over the last five years. Most recently, researchers at the École Normale Supérieure produced a paper on their forensic analysis on the cards.
X-ray analysis found that the scammers had soldered a FUNcard chip on top of the original card's. The FUNcard chip is programmable, in this case, it was made to send a message to the card reader which meant that the pin entered would always be accepted, no matter what it was. The FUNcard chip can also be used to eavesdrop on mobile phone calls and modest security devices.
The scammers even obscured several parts of the potentially identifiable card's circuitry in order to make it harder to perform a forensic analysis on the altered cards.
While this analysis only occurred after the scammers were caught, in 2010, researchers at the University of Cambridge managed to produce a proof-of-concept that forecast this kind of scam.
Much like the real scam, the researchers took a card and put it in a card reader (available in stores), the card reader was then connected to a laptop loaded with the researcher's custom-built software. When the ‘customer' was prompted to enter their PIN code, they could merely insert a fake card and let their custom-built software kick in, allowing that ‘customer' to type in any pin code and have it approved.
The researchers managed to fit all this tech into a backpack and try it out on the Cambridge Cafeteria. The researchers threaded the wire connecting the computer to the fake card through a jacket sleeve. When it came time to carry out this dummy run, the designated researcher went to the cafeteria and successfully paid with a ‘0000' pin.
Steven Murdoch, who worked on the team that developed that proof of concept now works at University College London as a principal research fellow in their Information Security Research Group. He thinks that if authorities and the banking industry had realised the “remarkable ingenuity” of fraudsters and had realised the capabilities of projects like his team's proof of concept, “perhaps they would have found some others too.”
A spokesman from the UK Cards Association, a trade group, spoke to SCMagazineUK.com, saying that there is no evidence "that this type of fraud has ever occurred in a real life environment in the UK." They added that the reason it could be carried out in France, but not in the UK is that the French scam relied on the fact that "card transactions take place offline" The majority of transactions in the UK, however, are "processed online meaning these security checks are made in real time while the cardholder is making the payment."
