HitB2011AMS: Credit Card Skimming and PIN Harvesting in an EMV World

Black Skimmer Rynchops niger Skimming a cc by image from marlin harm's Flick stream
By Adam Laurie and Daniele Bianco

Slides on the HitB Materials page.

So what is EMV it stand for Europay, Mastercard and Vista and is a new security statndard for credit cards.With the introduction of EMV the liabiliy moved from the merchant to the cardholder because fraud is thought to be unlikely.  However EMV has allready been proven to be broken. E.g. Murdoch et. al. have proven that it is possible to use a stolen card without knowing the PIN.

This talk focuses  on the ability to still skim a EMV credit card, without reading the magstripe (which is very often still present).

Skimming a chip card may be more interesting because the user cannot see the interface and thus cannot detect the skimmer. The time effort to install a smartcard skimmer is quite small.

The industry perceives these tools as complex, but that is not true. Devices are small, easy to install and hard to detect.

It is possible to clone the track 1 and track 2 magnetic stripe data from publicly readable data of EMV chip. Luckily not all EMS cards support this.

So magnetic stripe data can be stolen and a stolen card van be used without a PIN, but is it possible to do PIN and magnetic stripe harvesting with EMV cards.  

The CVM list on the card, which is digitally signed, tells the terminal how to authenticate to the card. The PIN is only sent to the card is the card specifies this in the CVM list.

However it turns out that, under certain circumstances, PoS terminals do not correctly detect a tampered CVM list and thus will present the PIN in plain text even if the CVM state this shouldn’t happen.

Adam and Daniele then demonstrate the tools they have developed to actually copy a card and u

About Daniele Bianco

He began his professional career during his early years at university as system administrator and IT consultant for several scientific organizations. His interest for centralized management and software integration in Open Source environments has focused his work on design and development of suitable R&D infrastructure. One of his hobbies has always been playing with hardware and electronic devices.

At the time being he is the resident Hardware Hacker for international consultancy Inverse Path where his research work focuses on embedded systems security, electronic devices protection and tamperproofing techniques. He presented at many IT security events and his works have been quoted by numerous popular media.

About Adam Laurie

Adam Laurie is a freelance security consultant working the in the field of electronic communications. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe’s largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world’s first CD ripper, ‘CDGRAB’.

At this point, he and Ben became interested in the newly emerging concept of ‘The Internet’, and were involved in various early open source projects, the most well known of which is probably their own ‘Apache-SSL’ which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities.

Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, and is a member of the Bluetooth SIG Security Experts Group and speaks regularly on the international conference circuit on matters concerning Bluetooth security. He has also given presentations on forensics, magnetic stripe technology, InfraRed and RFID.

He is the author and maintainer of the open source python RFID exploration library ‘RFIDIOt’, which can be found at http://rfidiot.org. Adam is a Director and full time researcher working for Aperture Labs Ltd., specialising in reverse engineering of secure systems.


Not Published

0/1000 characters
Go Top