The underlying flaw has been fixed, but the incident proves that criminals will always find a why to commit crime Credit: REUTERS/Mike Blake In a research paper published by the École Normale Supérieure University in Paris, France, and the Centre Microélectronique de Provence (CEA), researchers outlined the forensic analysis they conducted on evidence used in a fraud case four years ago.In 2010, researchers at the University of Cambridge discovered a flaw, one that if exploited would allow criminals to use stolen chip-and-PIN cards without knowing the victim’s PIN.In 2011, a banking group in France noticed that a dozen stolen EMV cards were being used in Belgium. Given that the use of EMV, or chip-and-PIN, is supposed to prevent fraud, the bankers launched an investigation.Law enforcement eventually tracked the criminals down, but not before they were able to steal €600,000 ($681,600) with 40 forged cards by conducting 7,000 fraudulent transactions. The attack itself was elegant. During a transaction – when the PoS requested confirmation that the entered PIN was valid from the stolen chip, the dummy chip (acting as man-in-the-middle) would simply answer with the affirmative, and the transaction completes successfully.“These forgeries are remarkable in that they embed two chips wired top-to-tail. The first chip is clipped from a genuine stolen card. The second chip plays the role of the man-in-the-middle and communicates directly with the point of sale (PoS) terminal. The entire assembly is embedded in the plastic body of yet another stolen card. The forensic analysis relied on X-ray chip imaging, side-channel analysis, protocol analysis, and microscopic optical inspections,” the researchers explain. The researcher’s work, as well as the findings in the report, demonstrate that organized crime is following security advances, and when given the time and resources to do so, even the most sophisticated protection schemes can be circumvented.“It is important to underline that, as we write these lines, the attack described in this paper is not applicable anymore, thanks to the activation of a new authentication mode (CDA, Combined Data Authentication) and network level protections acting as a second line of defense. Until the deployment of CDA, this fraud was stopped using network-level counter-measures and PoS software updates,” the paper adds. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe