It has bee revealed that cyber criminals have worked out a way to hack the Chip and PIN card system currently being introduced at businesses throughout the US and widely used throughout Europe.
Five French citizens have been convicted of manipulating vulnerabilities in the system
with a card-switching technique that included substituting the PIN on a stolen card with a cheap piece of plastic.
French researchers from the École Normale Sperieure, a technology university, published a research paper revealing the case of five thieves who were arrested in 2011 and 2012 for spending €600,000 (roughly $680,000) with stolen credit cards. Using X-ray analysis and other microscopic scans, the researchers figured out that the criminals actually inserted a second chip onto stolen Chip and PIN cards, enabling them to dupe the PIN verification on many registers’ POS terminal.
The fake chip, known as a FUNcard, enabled the thieves to carry out a Man In The Middle attack, which involves intercepting communications on the point-of-sale (POS) terminal. When a shopper inserts his or her card into a POS terminal, the terminal automatically tries to verify its authenticity. In this case, the FUNcard was waiting with its own, fake “yes” signal when the authenticity check arrived.
“The attacker intercepts the PIN query and replies that it’s correct, whatever the code is,” ENS researcher Remi Geraud told Wired magazine Tuesday. “That’s the core of the attack.”
Until 2011, the concept of spoofing the PIN on a Chip and PIN card was largely theoretical. A group of Cambridge University researchers discovered similar flaws, but this French crime ring appears to have been the first time the trick was discovered in the wild. Malicious software used on ATMs in Russia and Europe has also broken through chip-and-PIN safeguards, allowing thieves to drain ATMs of cash in at least one case.