Smart Cards Used To Hack Smart Cards

Back in the day, true hackers – the kind that would build VCRs out of 555 chips only to end up in the Hackaday comments section in their twilight years – would steal satellite TV feeds with the help of tiny little microcontrollers embedded in a credit card. This was the wild west, when a parallel port was the equivalent of a six-shooter and Jnco jeans were a ten gallon hat.

The backdoors that enabled these satellite pirates have long been closed, but these devices for stealing HBO have now evolved into stealing €600,000 worth of goods using a most unlikely source: chip and pin card terminals. A gang of criminals in Belgium have successfully broken chip and pin, and although the exploit has now been closed, the researchers behind the investigation have published their war story for one of the most interesting hacks in recent memory.

Chip and pin verification for Point of Sale (PoS) transactions are a relatively simple process; during a transaction, the PoS system asks for the user’s PIN and transmits it to the card. The card then simply answers ‘yes’ or ‘no’. In 2010, a vulnerability to this system was discovered, making it a simple matter for anyone to break chip and pin systems. This system used an FPGA with a backpack worth of modified hardware – executing it in a store would raise more than a few eyebrows.

The 2010 exploit hardware
The 2010 exploit hardware

The problem of implementing this system into something that was easily concealable was simply a matter of miniaturization. Thanks to the proliferation of smart cards over the last 20 years, very tiny microcontrollers are available that could manage this man-in-the-middle attack on a chip and pin system. What is a gang of criminals to do? Simply program a smart card with all the smarts required to pull of the hack, of course.

To pull off this exploit, an engineer in the gang of criminals used a FUNcard, a development platform for smart cards loaded up with an Atmel AVR AT90S8515 microcontroller and an EEPROM packaged in a small golden square. By removing the chip from this chipped card and replacing the chip in a stolen credit card, the criminals were able to reproduce the 2010 exploit in the wild, netting them €600,000 in stolen merchandise before they were caught.

How were they caught? The ‘buyer’ of the gang kept shopping at the same place. Rookie mistake, but once security researchers got their hands on this illegal hardware, they were amazed at what they found. Not only did the engineer responsible for this manage to put the code required for the exploit in an off-the-shelf smart card, the gold contact pads from the original credit card were rewired to the new microcontroller in an amazing feat of rework soldering.

Before this exploit was made public, the researchers developed a countermeasure for this attack that was swiftly installed in PoS terminals. They also came up with a few additional countermeasures that can be deployed in the future, just in case. In any event, it’s an amazing bit of reverse engineering, soldering, and craftsmanship that went into this crime spree, and as usual, it only took a massive loss for retailers to do anything about it.

61 thoughts on “Smart Cards Used To Hack Smart Cards

  1. In Europe if your chip and pin card is stolen, the card-holder, not the credit card company, is liable for misuse, because they’re considered “uncrackable”. The “Chip and pin is broken” paper mentions this and the challenges of addressing it, but I don’t think it’s been addressed. The paper discussing the 600K fraud doesn’t say who was liable for this attack. Seems unfair that the card holders should be. The incentives are not in place to make the fair thing happen, though. An interesting situation…if anyone knows more, please chime in! The US is about to deploy chip and pin broadly, but I haven’t heard how this is going to change the credit fraud liability equation. Hopefully lessons like this will be taken into account.

    1. If the banks are that sure their scheme’s uncrackable, why are they so shy to take responsibility for if it happens? It’s because they’re trillion-dollar companies and fuck the customer, I know. But it’s worth asking rhetorically.

      They originally guaranteed against fraud because customers didn’t trust cards, so guaranteeing increased takeup. Now we’re all stuck with cards regardless, they’re not gonna bother.

      1. Exactly because they do believe it is unbreakable …

        Which means that if a transaction (well an “online pin-verified” one at least) goes through, the one making it had both the original card and the PIN. And keeping the card in his possession and the PIN secret is the holder’s responsibility.

        Then if card is stolen and pin taken under duress, it’s your personal insurance against theft (assuming you subscribed to one that cover that case) that would kick in and not the bank.

        And TBH if it were unbreakable, I’d tend to agree. But that’s a _big_ IF and I’m not sure they have sufficient proof of that. And I’m appalled how this attack worked in 2010 … not linking the PIN check to the actual unlocking of the crypto key to make the transaction auth is just unforgivable. SIM cards have been doing that for like 20 years …

    2. Right now, it seems, we are in the middle of implementation. Often I have to ask which to use, swipe or insert, because if you do the wrong one it may mess up the transaction. My understanding is that the fault for chip and pin still falls upon the card issuer, but if a store still accepts swipe- they are the ones responsible for the liability. my limited understanding at this point says I as a customer will not be liable for unauthorized transactions.

    3. There is an *excellent* Computerphile video explaining all this:

      https://www.youtube.com/watch?v=Ks0SOn8hjG8

      It is quite depressing in fact. One of the easiest hacks that still exist is to hack the display that shows the amount of transaction. There is no paper record and thus no protection against this except for a sting. As the video says due to the liability rules, when you have chip and pin cards in your wallet, you are literally walking with thousands of dollars worth of CASH.

      I think the only way to protect against the myriad of possible attacks is to have an active device. Of course, if that is your phone that opens up even more attack vectors…so…

      1. Thanks! Very interesting video!
        What I found interesting was the “transition from magnetic to chip” fraud, which I had never heard of before. (Maybe it’s because I’m too young or because the technology to do it was not as easily available when my country switched to chip credit cards in the 90’s).
        Another thing I found amazing was how much could be done by tampering with card readers!
        I’m sure the fraud that uses a spying device planted in the reader can easily be defeated using better cryptography, but
        I’m not sure how you could avoid theft when the merchant is dishonest and has a reader with a fake display that shows a lower amount than charged…

    4. That is certainly not true. The payer is liable for unauthorised payment transactions (provided that several basic security conditions were met and until the card is reported as lost) only up to 150 €. European directive: 2007/64/EC.

      1. One of the basic security conditions is: “2. For the purposes of paragraph 1(a), the payment service user shall, in particular, as soon as he receives a payment instrument, take all reasonable steps to keep its personalised security features safe.” Which is to say, if the bank decides you didn’t keep your PIN safe you’re on the hook for the entire amount – and UK banks have successfully argued in court that this attack is so difficult that, if someone’s chip and PIN card was used successfully, they must have been careless with their PIN and are liable for all the transactions in question.

    5. In the Netherlands (europe) when you creditcard is stolen, the webshops where the card is used as screwed not the card holders.
      They get to refund the money to the card owner. This is because the don’t have a signature from the customer to prove they happily received there product.

    6. I’m not sure if there is a general rule in the US, as I believe it’s all in the Cardholder/Merchant contracts. As far as I’m aware, I’m personally not liable for any fraud of any kind happening on my account, I just have to be sure to report it if it happens. The only time it happened to me, the card company actually contacted me about a suspicious transaction (almost immediately), $60 at a conveniences store several states away. I also have a right to dispute any charges.

      I think the store is only liable if they violate their merchant agreement. The criteria are different store to store, card to card.

      The one major change in the US, is with the adoption of chipped cards, merchants who still accept swipes on chipped cards are responsible for the fraud. The card company still accepts liability if the chip is used.

  2. Isn’t it required to connect to the bank in order to complete the transaction? Usually after I enter PIN the computer at the register waits for the authorization from the bank, I thought this is how it works everywhere.

      1. Surely this isn’t as simple as “Terminal sends PIN to card, card says ‘yes, that’s fine’, purchase goes through”? So it’s a cloned card that accepts any PIN? So all anyone needed was a card that sends a selected card number and an undiscriminating “yes”?

        1. It’s a bit more sophisticated than that. They allow the original chip to present its own authentication toekn, but then they hijack the PIN authentication so that any PIN is accepted. Still no idea why you would ever leave PIN verification to the one thing in the attacker’s hands.

          1. So it needs 2 chips, the original plus a man in the middle? For the soldering alone, that’s probably worth €600,000. Is the card’s token a challenge-response from the bank? How did they manage to get a FUN card to send the correct token, if they don’t use the original chip?

            And yep, IIRC, having the PIN authentication separate from the card’s own, is needlessly silly.

          2. “Still no idea why you would ever leave PIN verification to the one thing in the attacker’s hands.”

            Because it’s not feasible to connect to the bank every time, especially if the network happens to be down at the moment.

          3. Network down? Then why in the world would any sensible merchant continue with said transaction? Credit cards are closed. Stolen. Maxed out.

            Remember that whole debacle with Walmart and the Welfare jerks that went all apeshit when the network went down? Yeah, no merchant will do something that dumb again.

        2. That’s exactly what the YesCard did! The hack described here is an evolution of it.
          The YesCards were a real problem in the years around 2000, but the hole was fixed with better cryptography (I think).
          (I can’t find a english Wikipedia article on the yescards, maybe because smart credit cards weren’t used in the US and UK at that moment (to avoid paying royalties))

          (Sorry, I hit “report” instead of reply)

      1. So it’s probably not smartcard but ‘stupidcard’, chip is used only as EPROM that stores card info, just as a magnetic track does.
        In Europe, magnetic swipe cards became rare, most of the banks use chip cards. Those also have magnetic track, but when cashier swipes it terminal prompts “insert card into reader”, then it reads smart chip and you have to enter PIN and verify transaction.
        Funny thing about cards that are verified by signature. They have paper track below the magnetic track, and bank requires you to put your signature there, so that cashier can verify that your signature is same as one on the card. I always laughed about that, that is one big security hole, if you lost your card, finder gets your magnetic track and your signature, everything he needs for transaction completion.

        1. It’s still a smart-card. I believe they rely on a key-sequence, where the seed is stored in the card and known by the card agency. It never sends the same verification code twice. This effectively prevents the card from being easily copied from intercepted or stolen information, which was a major problem with magnetic stripes. The PIN part only prevents someone from using your real card if they stole it.

    1. Besides, in most of Europe card transactions are often in offline mode. Terminal stores and accepts all transactions in memory until next online session. Similarly card store the same info. This “feature” can be used to hack RFID/NFC enabled credit cards by reading info from a card of unsuspecting victim and sending it to device that interacts with the terminal. By scanning multiple cards in public place and because each card scanned equals one transaction, one can get lots of goods from this scheme, albeit most of those transactions are limited by maximum payment allowed. For full protection one can either keep his cards in Faraday wallet, or set RFID/NFC transaction limit for card to zero. Or can break the antenna with drilling or cutting.

    2. I believe the chip still authenticates to the bank (can’t find any reference to how this works), but the pin is verified locally by the card. The pin is just for user Id purposes, and still needs the thief to have stolen your physical card. This attack does not allow for the creation of a duplicate card.

      The scary part of the hack is more that they were able to steal the card, modify it, and use it before the card owner noticed it was missing and cancelled the card.

      1. They didn’t need to modify anything, they just stick it into their custom MitM hardware and push a wired card into the reader for wherever the withdrawl is going to be, likely an ATM down the street. Can you cancel your card in 5 minutes or less? Would you even know it was gone by then? Not that hard to execute for them.

      2. From the paper: “The net loss caused by this fraud is estimated to stand below €600,000, stolen over 7,000
        transactions using 40 modified cards.”
        * Hence the average amount spent was €85.72 . The average number of transactions per stolen card was 175.
        * I’m speculating here, but I think they value apprehending the network of fraudsters, and identifying the vulnerability above €85.72.

        My guess is the cards were often canceled in time, but the knowledge was more important than the money. Eventually the “25 year old woman” who was caught buying goods (large quatities of cigarette packs and lottery tickets to be sold on black market) was by correlating cellphones’ spacetime events with the PoS spacetime events. Why wait for so many transactions? I can imagine many possible reasons: perhaps most of the time she did not bring her cellphone as per possible instructions of the engineer behind it? perhaps they identified her rather quickly (I assume by CCTV footage), but had to spy on her for a long time to reveal her connection with the rest of the network? Perhaps they let the fraud escalate to this amount so that it would be serious enough to put pressure on accomplices for testimony etc?

        Some important lessons here which are valuable to future organised crime networks here:
        * Make sure the lowest levels do not bring phones etc while they buy stuff
        * Severe the traces between lower levels and engineers with dead drops?
        * Use test cases to reimplement the whole EMV protocol (the countermeasures seem to orient around deviations from the standard)

    3. it depends on the amont and other factors (I think the card can ask for a call home too, not only the POS side) and varies from POS to POS, it’s sometimes calling home, and sometimes not. It’s a bit like buying alcohol in the US, you never know if you will be carded.

  3. Before I became a Christian I used to make false barcodes for stealing goods.
    I photographed a barcode on a cheap TV box and forged a sticker that resembled the
    sticker of a much higher model. Then I simply sticked the forged sticker over
    the original barcode on the high end model box and put it into my cart. The most serious part was to serach for a cashier with some young blonde girl from an agency beyond it
    and voila – the hyper super 3D LCD TV was mine for the price of some low-end
    model. It was not a €6e5 business, but it definitely saved some bucks to me and
    my friends.
    Sometimes I miss those rogue days….

    1. I could tell you a few good stories from a mate of mine who used to be a bit naughty. 90% of it is putting on a suit and looking like you’re supposed to be doing what you’re doing.

      Or if you take it to the next level, become Derren Brown. Have we all seen his early special, where he gets a racetrack cashier to pay him out for a losing ticket? The computer tells her “no” twice, she still does it. I’ve a feeling the guy looking like a debonair Lucifer isn’t just a coincidence.

    2. That hack’s almost 30 years old at this point. I used to do it way back in the day. The best time of year to do it was around Xmas so that everyone was too busy to pay any attention to what you were doing. The U-scan aisles would have been great but they started matching barcodes to the weight of the item so dealing with a cashier was always safer oddly enough. Stopped doing it years ago, long before LCD TVs were available.

      1. So THAT’S why they weigh your shopping! I wondered. Cos it’s a complete pain in the arse, and causes nearly every one of the dozens of errors you’ll see the employee minding the terminals constantly chasing after.

        Obviously if you were going to shove something up your jumper, you wouldn’t scan it to start with, so it didn’t make a lot of sense seeing them weigh stuff. But that makes sense.

        I prefer to use a human cashier anyway. I enjoy talking to people. I don’t enjoy wrestling with a stupid half-broken paranoid machine that throws an alarm if I don’t pack my stuff promptly enough. As well as supporting human beings, hopefully avoiding the machines might encourage shops to actually get them working properly, if they’re going to phase out the human workers eventually.

        1. Not me. I used to, then we moved to a place full of anuses or anii. Nowadays it is self serve all the way. I wish they paid cashiers to be friendly and helpful and baggers not to stare at my wife’s jugs while they smash my food, but apparently they are only paid to be hungover and surly (something I refer to as a ‘Meat Safety Cone’). I do find that once I am out of the city people tend to be back to normal and friendly again. Glad you have some nice ones as I do like to know who I am doing business with and am a bit ‘onion on belt’ like that :)
          On a similar precursor to the barcode grift, I always enjoyed the ol price gun mark down. The only trick to that was the sticker color or store logo but they sadly left rolls of that stuff all over the place due to misfeeds and poor sweeping. I think the first nod I ever saw of it was the famous scene in ‘My Blue Heaven’ where Steve Martin goes to town in the meat section lol.

    3. >Before I became (don’t seek glory and don’t advertise)
      morally conscientious.

      Well you got me trumped all I did was join INC and USA for a bit in the old BBS days. Pre-Box Release of Ultima 6 bitches!!! (Sorry Lord British. I do have physical copies of it now along with Ultima 7, Savage World as well as Martian Dreams. Even paid for Ultima 8 ugh..) Hung out on a bunch of p/h/v/a/c boards. Called in once or twice on a conference line for free and even pimped a RadShack dialer and did a crystal swap.”0… umm, I keep trying the 5 button but it doesn’t press can you please help me?”

      Have you any idea how much it cost to call long distance? Fortunately we had calling cards.

      Funny thing, AND TO THIS DAY IS STILL WANNA KNOW!

      I had a series of DEAD card codes 16 in total. I studied this hand written list for about 5 minutes because something was weird.
      There was some sort of transposition of numbers. I don’t know HOW but I found 4 LIVE UN-USED code but…. F’ YEAH!Downloading and Y-Modem Upload Ultima:Underworld to some site in Syracuse.

      >some young blonde girl
      >hyper super 3D LCD TV was mine for the price of some low-end
      model.

      your a dick.

      1. “you’re a dick.”
        — Yes, I must admit. But nevertheless, I have had no reason why not to do it at that time. In fact, I think that in liberal society there is no reason to not to behave as an egoist asshole if there is no peril of punishment imminent.

      2. “you’re a dick.”
        — Yes, I must admit. But nevertheless, I have had no reason why not to do it at that time. In fact, I think that in liberal society there is no reason to not to behave as an egoist asshole if there is no peril of punishment imminent.

  4. Old fart in comments here. I still have my pcb cut to the width of a smart card slot with contact pads etched on it and a big wire with a parallel plug on it somewhere. Sky tv and Europorn being the youthful targets, Sky because it impressed people who visited and europorn because you couldn’t legally buy a cam access card because it was ruder than the UK allowed therefore was a extra laudable target to break.
    Sky went doubled up on encryption power in a arms race around card issue 0a and put a stop to it by bedroom tinkerers although the commercial carders kept on and were using SEMS to pick the key out for big money, and europorn went to secam encoding which our sky boxes weren’t capable of. Today sky italia is easy enough to do the same to, because last time I looked it was transmitted in secam which doesnt have the protection of NDS but really, I don’t watch enough mindrot tv to even care about breaking it now and CAM setups are a pain in mythtv which I use exclusively to pipe sat feeds round the house so the clear unencrypted channels on freesat are enough for me.

    I’ve often idly considered getting a card terminal and having a play, but I get paid for what I know now and have no financial motive to do so and put that at risk. Always interesting to read a post attack autopsy though.

    1. Apparently, the main UK cable company (Virgin/NTL) kept on using old, broken encryption that could be emulated with one of these Funcards well beyond the point when everyone had switched to something better – changed over about 2010-ish, I think. By the time those criminals used them to break chip and pin, they were thoroughly obsolete. Sky card emulation needed more horsepower than these were capable of and most of the big commercial card sellers wanted to lock down their firmware so that it would only run on their cards.

      (If I remember correctly, Sky’s newer cards used 512-bit RSA, and there were supposedly some neat countermeasures based on the fact that the genuine card took a different amount of time to execute the RSA operation than the emulator, which were in turn countered by working out exactly how many cycles the real hardware took for a particular pair of operands and emulating that too. Fascinating business.)

      1. There’s a job for any retired Atari 2600 programmers, without cycle-counting you couldn’t even get a display on the screen. Those lot were experts. Also good at getting a lot out of very little.

    1. How do I know if my dinner contains genetically-modified food? I don’t, apparently it’s none of my business. The Market is more important than The Customer, apparently.

      Fortunately they sell Faraday-wallets. You still don’t get any say in boycotting RFID if you don’t like it though. I wonder if your bank would be pissed off if you cut a little notch through where the antenna loop is? I’d guess that in a card that does NFC and has ordinary gold connectors, the same chip is needed for both, so you can’t just zap it or the card’s useless.

      Would cutting the antenna defeat RFID? RF’s a funny thing, with enough signal strength perhaps it’d still work.

      Can you skim anything useful from RF bank cards, if you pick up the signal?

  5. Might be a good idea for more organisations to offer bounties for bugs and hacks, to keep hackers honest. Probably cheaper and more reliable than doing in-house security testing, although of course do that too. May as well keep the giant brains occupied doing their hacking for the banks, rather than against.

    Perhaps keep it discreet though. Most people still think obscurity is an important part of security, going back to “loose lips sink ships” and the like. They don’t realise people are gonna be working on cracking stuff regardless.

    If it were me, I might just sell a few of these cards to interested criminals. Problem is, most shoplifters and card fraudsters don’t have the sort of money to pay much up front. You’d need some sort of gang with money. Sometimes higher-ups in the drug market get into a little fraud on the side, giving people dodgy cheques to pay into bank accounts, accomplice keeps a share of the cash, and the whole thing isn’t discovered til it’s too late.

    The problem with low-level working-class crime, is it all has to run on a bank balance around the 0 mark. There’s a paucity of investors. Middle-class crime is much more profitable. Also harder to catch, and a much lower chance of punishment.

  6. this statement confuses me…

    “They also came up with a few additional countermeasures that can be deployed in the future, just in case.”

    So they know the current system isn’t secure and have fixes for exploits that haven’t been found yet?

    Any idea how that sentence can make sense and not be scary at the same time?

    1. >“They also came up with a few additional countermeasures that can be deployed in the future, just in case.”
      All I can see is the image of a latex glove on a finger-print scanner.

      You’ve caught me on the day before of the eve of an election year.

      http://www.washingtonpost.com/wp-srv/special/capitol-assets/congressional-wealth-risk-matrix/
      http://billmoyers.com/2012/06/13/infographic-whats-the-cost-of-getting-into-congress/
      http://awesome.good.is/transparency/web/1206/what-s-the-cost-of-getting-into-congress/flash.html
      http://blog.constitutioncenter.org/2012/04/infographic-the-jobs-of-the-first-congress-vs-the-112th-congress/

      and finally… How f’ed the US is.

      http://i.imgur.com/xdWVes2.gif

  7. Now that PIN cards are thing … people at cash register often say their PIN loudly when cashier asks them to enter it. They literally take “why the f are you bothering me, I’m packing my groceries, enter it yourself” stand and then say it aloud. Happens all the time. When I enter it, I cover the pinpad with one hand, and people around usually look at me like “what a paranoic weirdo, why don’t you wear a tin foil hat” :D

    1. “where are the laxatives?” “HEY OTHER-TWAT CASHIER, CUSTOMER HERE IS CONSTIPATED AND IS LOOKING FOR THE LAXATIVES.”
      True Story.

      Don’t take it lightly there are shitty people about. Even clerks can be dumb mouth-breathers.

      Pro-life Tip: “Are you able to help and give me a STRAIGHT answer, kindly point me in the direction of hygiene products.”

      >“what a paranoic weirdo, why don’t you wear a tin foil hat”

      *shrug* When they are broke and financially raped who cares. You still got your integrity. Especially if you gave your blood and life to get where you are.

    1. Reminds me of the digital tape recorder skimmers used in restaurants. The waiter takes your card, covertly slides it over a recording head on his belt to record the strip as audio. Does the transaction as normal and gets the pin from uv dye on the buttons of the terminal.

  8. What needs to happen is the pin number scrambles the token that’s sent.
    A scrambled signal is sent back which when combined with the scrambled signal from.the pin reveals if the pin was good or not.

    No more man in the middle.

    I know this hack is old and reasonably patched but it’s still one of those, why didn’t I think.of that. The soldering of tiny wires like that is always impressive.
    Still stupid using the same shops, buying the same sort of items, you’d think they’d know better.

    1. That doesn’t help the “offline” mode.

      In online mode, the pin should be sent to the bank rather than to the card.

      As the paper notes, a proper fix for the offline mode is for the verification mode to be included in the transaction details to be signed by the card’s private key. If the transaction details say that the verification mode is PIN, and the card hasn’t been presented a PIN, then it should balk.

      1. Offline mode is problematic if the card is compromised, the merchant is trusting the card to operate according to strict protocol. A proper cryptographic signature system can at least protect against a POS system remembering the card number for later, and detect later if the card was compromised. The merchant recording card # or PIN for later enables fraud if a black hat gains access to the merchant system.

  9. If the bank isn’t using
    http://hackaday.com/2014/12/19/nist-randomness-beacon/
    with the merchant.

    F’in bury these f’ers.

    “I ain’t paying shit. Cause I didn’t buy it.”

    1.) I don’t have that RFID or Serial in my home or garbage.
    2.) I hold you liable for punitive damages for f’in with everyone
    3.) You don’t have the vid tape of me running my card.
    4.) An army of lawyers won’t protect your greedy fleching organization because I did not receive a notification of spending on my cellphone or a VM on my house phone to dispute charges.

    and 5.) I don’t have the phone number/email/phy address or connected via social with the gypsy that just ran that game on YOUR asses.

    Also, law will uphold REVERSE APR on interest rate/cost/balance that you want to charge me for. BONUS – My Lawyer gets double the cost * taxes so I do get my money back without splitting in a class action.

    The burden is on the banks. The End.

    (Former employee of Freddie Mac and contractor of Bank Of Butterfield.)

  10. Anybody have any suggestions for websites like hackaday but more geared toward software?
    Such as the Computerphile youtube channel. I’m interested in learning more about security/decryption/system processes; any suggestion would help. Thanks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.