Researchers speaking at the Black Hat conference in Las Vegas demonstrated how the Chip and PIN system has been exploited to make a cash machine give out money. Small modifications to equipment allowed attackers to intercept the systems used to authorise payments.
While Chip and PIN is widely used across Europe, the US is only beginning to use the technology – making it a
renewed target for hackers, the researchers said – according to an article on the BBC.
“In the US we are finally catching up to the rest of the world and using Chip and PIN,” said Tod Beardsley, security research manager for Rapid7 who oversaw the hack. “The state of chip and pin security is that it’s a little oversold.”
The security and specifications of Chip and PIN are looked after by EMVCo, a consortium of six major payment providers – American Express, Discover, JCB, MasterCard, UnionPay, and Visa. EMVCo could not be reached for comment on Wednesday.
Rapid7 has disclosed the vulnerability to major ATM makers and banks, though it would not specify which. The team said it had not seen any effort to rectify the problem, but that it hoped the firms were looking into the vulnerability.
The hack is essentially performed in two halves. Unlike the older magnetic stripe system, in which criminals can skim the card info and use it at will until the card is cancelled, Chip and PIN provides only a limited window for transactions to take place – adding, in theory, a far better layer of security.
Criminals begin by modifying a point-of-sale (POS) machine, adding a small device known as a shimmer which sits between the victim’s chip and the receptor in the machine into which the card is inserted.
The shimmer reads the data on the chip, including the PIN being entered, and transmits that to the criminals. In the second half of the hack, criminals use an internet-connected smartphone to download the data from the stolen card, and then essentially recreate that same card in any ATM.