French chip and PIN hack ‘most sophisticated ever’

As the US comes out of its first post-EMV liability shift months, it’s worth looking at how chip cards have evolved over the years to improve security and how lessons learnt in other countries have made smart cards more secure than ever. While EMV cards are undoubtedly more secure than traditional mag stripe cards, there have been, and continue to be, certain vulnerabilities that can be exposed by fraudsters.

Researchers have detailed one such case in France that they say is the “most sophisticated smart card fraud encountered to date”.

It was a highly complex attack, but essentially it saw fraudsters embed two chips in payment cards to carry out man-in-the-middle style attacks. These were card-present frauds that managed to nullify the PIN. The fraud, which took place over several months from 2011 to 2012, caused a net loss of €600,000, involved over 7,000 transactions and featured 40 modified cards.

A paper from the École Normale Supérieure and the Centre Microélectronique de Provence analysed the fraud and produced some important findings for our understanding of card security today. Cards were fixed with a second, fake, chip that communicated with point of sale (POS) terminals – the so-called man in the middle. Remarkably, when the POS terminal communicated with the card to check if the PIN entered was correct, this spoof chip could give a positive answer no matter which four digits were entered on the keypad.

If anything it shows the sheer lengths to which fraudsters have been forced to go to since the introduction of EMV cards. The authors of the French report say: “This case shows that organised crime is following very attentively advances in information security. We also noted that producing the forgery required patience, skill and craftsmanship.”

Lessons

The report notes that the attack could not happen today, thanks to the activation of a new authentication mode – CDA, or Combined Data Authentication, as well as “network level protections acting as a second line of defence”. The authors noted: “Until the deployment of CDA, this fraud was stopped using network-level counter-measures and PoS software updates.” They add, that “as a rule of thumb, an unmalleable cryptographic secure channel must always exist between cards and readers”.

CDA explained

What this study also makes clear is the importance of CDA, which is really transforming payment security and making fraud a lot harder. It works in the same way as Dynamic Data Authentication, but adds an extra layer of protection against man-in-the-middle attacks. During a transaction, the first part of the processing for CDA works in exactly the same way as standard DDA. But during card action analysis, the chip card generates a second dynamic signature which the terminal must verify.

It’s this combination of secure authentication that is stamping out card-present fraud. While chip cards don’t cure all the ills of payment card fraud, the emergence of processes such as CDA means the criminals have to go to increasingly difficult lengths to achieve a profit.

The next step for EMV cards is to be able to deliver a similar level of security in the card-not-present arena.

Written by David Divitt