In a research paper published by the École Normale Supérieure University in Paris, France, and the Centre Microélectronique de Provence (CEA), researchers outlined the forensic analysis they conducted on evidence used in a fraud case four years ago.
In 2010, researchers at the University of Cambridge discovered a flaw, one that if exploited would allow criminals to use stolen chip-and-PIN cards without knowing the victim's PIN.
In 2011, a banking group in France noticed that a dozen stolen EMV cards were being used in Belgium. Given that the use of EMV, or chip-and-PIN, is supposed to prevent fraud, the bankers launched an investigation.
Law enforcement eventually tracked the criminals down, but not before they were able to steal €600,000 ($681,600) with 40 forged cards by conducting 7,000 fraudulent transactions.
The attack itself was elegant. During a transaction – when the PoS requested confirmation that the entered PIN was valid from the stolen chip, the dummy chip (acting as man-in-the-middle) would simply answer with the affirmative, and the transaction completes successfully.
"These forgeries are remarkable in that they embed two chips wired top-to-tail. The first chip is clipped from a genuine stolen card. The second chip plays the role of the man-in-the-middle and communicates directly with the point of sale (PoS) terminal. The entire assembly is embedded in the plastic body of yet another stolen card. The forensic analysis relied on X-ray chip imaging, side-channel analysis, protocol analysis, and microscopic optical inspections," the researchers explain.
The researcher's work, as well as the findings in the report, demonstrate that organized crime is following security advances, and when given the time and resources to do so, even the most sophisticated protection schemes can be circumvented.
"It is important to underline that, as we write these lines, the attack described in this paper is not applicable anymore, thanks to the activation of a new authentication mode (CDA, Combined Data Authentication) and network level protections acting as a second line of defense. Until the deployment of CDA, this fraud was stopped using network-level counter-measures and PoS software updates," the paper adds.