One of many ways that Americans are ridiculed by the rest of the world is that they don’t have chip and PIN on their credit cards yet; US credit card companies have been slow to bring this technology to millions of POS terminals across the country. Making the transition isn’t easy because until the transition is complete, the machines have to accept both magnetic stripes and chip and PIN.
This device can disable chip and PIN, wirelessly, by forcing the downgrade to magstripe. [Samy Kamkar] created the MagSpoof to explore the binary patterns on the magnetic stripe of his AmEx card, and in the process also created a device that works with drivers licenses, hotel room keys, and parking meters.
The electronics for the MagSpoof are incredibly simple. Of course a small microcontroller is necessary for this build, and for the MagSpoof, [Samy] used the ATtiny85 for the ‘larger’ version (still less than an inch square). A smaller, credit card-sized version used an ATtiny10. The rest of the schematic is just an H-bridge and a coil of magnet wire – easy enough for anyone with a soldering iron to put together on some perfboard.
By pulsing the H-bridge and energizing the coil of wire, the MagSpoof emulates the swipe of a credit card – it’s all just magnetic fields reversing direction in a very particular pattern. Since the magnetic pattern on any credit card can be easily read, and [Samy] demonstrates that this is possible with some rust and the naked eye anyway, it’s a simple matter to clone a card by building some electronics.
[Samy] didn’t stop there, though. By turning off the bits that state that the card has a chip onboard, his device can bypass the chip and PIN protection. If you’re very careful with a magnetized needle, you could disable the chip and PIN protection on any credit card. [Samy]’s device doesn’t need that degree of dexterity – he can just flip a bit in the firmware for the MagSpoof. It’s all brilliant work, and although the code for the chip and PIN defeat isn’t included in the repo, the documents that show how that can be done exist.
[Samy]’s implementation is very neat, but it stands on the shoulders of giants. In particular, we’ve covered similar devices before (here and here, for instance) and everything that you’ll need for this hack except for the chip-and-PIN-downgrade attack are covered in [Count Zero]’s classic 1992 “A Day in the Life of a Flux Reversal“.
Thanks [toru] for sending this one in. [Samy]’s video is available below.
120 thoughts on “Defeating Chip And PIN With Bits Of Wire”
“By turning off the bits that state that the card has a chip onboard, his device can bypass the chip and PIN protection.”
That’s the central WTF. Why would a payment processor trust the low-security magstripe to tell it whether to require higher security, rather than determining it based on the card ID?
Could I not just shove the chip end of the card in anyway? Or do Freedom Cards require you to swipe before shoving?
In theory if you swipe your chip-and-pin card it tattles and tells the machine it’s chip-and-pin. The machine can then deny the transaction and tell you to use the chip instead.
This hack shows that you can use a stolen chip-and-pin card and make the machine believe it’s a swipe-only card by making it not tattle on you.
Therefore you don’t have to steal the pin to use a chip-and-pin card until swipe is no longer an alternative.
Don’t even need to steal the PIN in the case of my two CCs. Both expire in a year or two, so rather than send me a new card and PIN, they have a chip in the cards (since they knew all of this was coming) but all function on chip & signature.
Yup, all of the fancy tech, none of the security. Supposedly, in another year or three, I’ll get a PIN or a way to choose one online and get the security.
whats the hack ?
to Fletcher Lavern you said this hack? what is the hack ? whats the format? email me if u like firstname.lastname@example.org…..
I’m going to need that as well!
How? Come up with a method of determining if an obsolete card is obsolete. It’s not like a non-existent chip can tell the POS terminal that.
But really it was only a stop gap in any case. Magnetic stripes are being phased out and some terminals in some countries won’t even accept them anymore regardless of the state of the chip.
Well… they don’t… except for US maybe. In Europe it’s common (I would say close to 100%) for a terminal to force-check PIN anyway.
The central WTF is that there is apparently no PIN protection on the magnetic swipe.
Mind you, Europeans don’t run around with credit cards, like, ever. Mine is around the house somewhere, I forget where exactly. We have bank cards. Also, nobody has used actual paper checks for anything important since the ’80s I think.
Since you can order things online with CC without any PIN (apart from the number on the back, which anybody can read if they have the card in hand) I guess it makes sense that the US doesn’t care.
But on the other side of the Atlantic you do get PIN with your CC.
I always wondered how it’s possible to have a system in the US which is so reliant on good behavior of people, AKA ‘the honor system’. While at the same time you have people in the US who gun you down for 25 bucks.
Sheesh. The US isn’t the only country with criminals.
That’s true… but in the US, we call them bankers. ;P
Less social services leads to a harder society. Which the EU is going to experience more and more too since the (national) politicians go to the US for instructions and have now for some years already been eroding social security and health care to the point that already people are pushed into crime to survive, albeit not yet violent crime much.
Seems the EU national politicians are trying to convert the EU to some republican think-tank ‘ideal’ society.
Incidentally I say national a few times because there is still quite a difference between euro parliament and national politicians of the same countries. The ‘local’ ones are nastier.
Anyway, the point wasn’t about the crime in the US but about the odd combination of naïve trust coupled with a society which is not so easy-going and sweet in many areas.
But yes the whole world is in many ways a madhouse.
The US charges way lower fees to the merchant if they get PIN, but it’s not necessary for all transactions. Some merchants accept the higher risk and fees (also associated with online sales) for pin-less (non-card in hand) transactions.
In the UK Mastercard and Visa have “3D secure” type systems where you get forwarded to a login page to enter a random few characters from a password, so it makes it difficult for someone whose ‘found’ your card to use it online.
And equally difficult when you keep forgetting the password that must contain x letters x number x non alpha numerical characters :)
I’m also in the UK, Did you know you can just click on the “forgot password” part and enter a new password with no checks.
Replying to jack laidlaw:
had this happen recently. Had to call the bank and give a bunch of info before they would reset the website to accept a new password.
No. You propably can’t bypass security this easy. What actually happens, is since the verified by visa/3D secure page is hosted by the issuing bank, the issuing bank has propably placed a permanent cookie on your computer AND/OR stored your IP number, when you login to the internet banking and/or do a successful purchase with VbV/3D secure. When you press “forgot password”, bank checks if cookie is present and/or if IP is in their database, and then proceeds to reset password without authentication, since the computer you use is “trusted”. Else it will propably refuse to reset password.
Note that VbV/3D-secure is ONLY aimed at preventing using a card you found on the street or skimmed, online. So convience vs security, bank finds it more suitable with more convience here, since its unlikely that the person who skimmed a card or found it on the street, also will find a “trusted computer” that the cardowner has used.
If your purse/backpack is stolen it is quite likely that a thief would get both your credit card and your phone/laptop. Most people use their phone/laptop as “trusted devices” to do their banking and make online purchases.
Also: To the moderators, I accidentally clicked the “Report” button on Sebastians link, please disregard the report. It can be confusing when some comments can be replied to directly and others cannot.
Please refrain from speaking on behalf of a whole continent.
No worries, I’m pretty sure he was only speaking on behalf of the part west of the Caucasus.
It’s possible to bypass the European chip&pin by simply choosing to authorize with signature, which is the same thing as swiping the magstrip.
It’s made that way because there’s not always an internet connection to verify with the bank – especially with handheld and wireless units – or the connection may be congested, or the chip and the reader might not be working correctly, so the shop simply takes the risk. If the card is reported stolen and the shop runs it through without a PIN verification, the shop simply loses the money. If it isn’t yet reported stolen, the transaction may go through.
If you’re a criminal with a stolen card, you can simply request to sign the purchase and the shop decides whether they’ll let you. Most shop cashiers aren’t trained enough to even know that you can bypass the pin verification, so they’ll just say no.
That is to say, there’s no PIN on the magstripe on the European chip&pin card either. If you fall back on swiping the card, it prints out a slip that you sign. Happens a lot late night in bars, when everyone’s buying drinks and the connection is just jammed – the barkeep starts swiping cards and making drunk people sign to get it over faster.
The card reader simply stores the card number and purchase amount in the device, and sends it to the bank at the next opportunity
This is not really true, at least not for whole Europe. Magstripe track usually contains PVV in discretionary data, which is a “hash” (strong word for that mechanism :) of PIN + some values. This value is then checked by the card issuer, but only if online authorization is possible. If not, then the terminal can fall back to signature when there is f.e. no connectivity.
I’m guessing they’ll phase that out soon like Australia did. Since mid-year we have not had the option to sign, and must enter a pin regardless of swipe of chip.
It’s the same Visa Electrons everywhere. The magstripe just holds the card number / account details, and there’s not PIN check if you swipe it.
Local bank cards may differ.
Here is an explanation on how they cheated chip&pin for a while with at reader-card MITM attack :) https://www.youtube.com/watch?v=Ks0SOn8hjG8
You should consider using using a credit card, at least in the UK they offer better protection against fraud. If you are defrauded they credit card company will refund you straight away vs a debit card the bank will refund you but the period of time is greater. Both credit and debit cards often offer Chargeback which is handy if there is some dispute over goods you buy.To add to that in the UK you have section 75 of the consumer credit act 1974 which means you are protected for credit card purchases over £100 up to £30k. Section 75 is similar to Chargeback but gives you far more protection. In fact if you pay a deposit of £100 on a credit card, Section 75 protects you for the rest of the purchase that you pay any other way.
Not really, we can’t use magnetic without a PIN here, unless it is a paid highway, they call it “low value operations”, no PIN required, because would slow down the traffic as hell while each person typed the PIN :)
Here in Portugal works the other way. First the chip, if it doesn’t work, the store might try the magnetic alternative, however, in gas stations this is not allowed. Chip or money.
So, this means that other countries are implementing Chip and PIN in the wrong way?
I’m pretty much sure we do the same here in the UK chip or nothing.
Here in the UK Tesco have happily accepted mag swipe this summer. The chip on my card stopped working, Santander had to issue a replacement card.
Few staff are trained to accept it these days though.
Have you tried the self serve petrol machines? If I have one euro on the card (chip and pin) it seems they’ll auth me up to 99 euro and remove the €1 auth charge after getting full payment.
Yank who regularly visits the UK speaking here, swipe cards are widely accepted throughout the UK. Occasionally I will be asked for supplementary ID, but often, not even the signature on the card is verified when the payment is processed. The US is making a move toward chip and signature so maybe in another 3 – 5 years the US will be moving toward chip and PIN.
I think the sooner every country gets chip and pin the better. We could just get rid of mag stripe only transactions and hacks like this won’t work. I find it weird that America who is normally on the forefront of new technology is still on mag stip only.
Yes, same in Canada. Chip & pin first.
Here in the Netherlands I have not seen a machine that could handle a mag stripe in shops in quite a few years. The move to chip was made like a decade ago. That said, there is still a mag stripe on <5 year old card. Right now we're making the move to NFC, so pretty much all bank cards handed out now have a chip and NFC but no mag stripe. I guess the chip will stay for another decade or maybe even longer since NFC has a bit of a bad rep.
It’s a design feature (bug).
The chip reader detects the presence of a card electrically. The mag stripe reader has no switch to tell the pin pad when a mag card is being used. It just assumes a mag strip card has been swiped when it receives the magnetic sequence that it expects from a mag card. So if it detects a mag sequence and no chip card has been inserted that it assumes a mag card has been swiped.
I have several pin pads here and I can pull one apart if you want confirmation. I am fairly confident this is the case as I have used mag stripe readers where the card path is in clear view and there is switch that I can see.
Every chip & pin card I have seen has a great big visible contact pad where the chip reader reads the chip cards. Unless the US screwed up in its implementation somehow (or the merchants are idiots) there is no reason why it shouldn’t be blindingly obvious that the card has a chip and should therefore be inserted into the chip slot and not the mag stripe reader.
have you been to the states? If you go with a UK credit/debit card that has a chip, pretty much everywhere makes you sign despite them having chip&pin/chip&sign capable card machines.
Some of this is training (half the time in Target I was asked to swipe, the other half chip) but there is also just bad till implementation – at a Subway we went to, the guy made sure to tell us not to use Chip as it would crash their till and take 5 minutes for it to reboot…
Is supporting Chip and Pin and magstripes in POS terminals actually hard? We’ve been able to use both in the UK for as long as I can remember.
The iron filings thing is very cool, I’ve never seen that before
The amount of hardware rolled out in the 80s and 90s in the US means that the costs involved in the upgrade are significant for the retailer, whereas in other markets that came online later those costs are less.
Additionally, chip and pin provides no security for internet, telephone, manual or paper-based (read: mailorder) transactions. All of these forms of processing have been significant in the American economy.
I also heard rumours that in the cost-benefit analysis the amount of fraud that chip-and-pin (and NFC) prevents has historically not been worth the cost to implement
Can you go into detail about how the fuck the card from Terminator 2 was supposed to work? I can’t figure out what that was at all.
It was hacking! You know, hacking! Plus the Atari Portfolio had some secret ATM code in it.
I design these things and I can say that doing both the chip and the swipe is a pain.
On a handheld unit, putting the mag stripe in the side means you need to carve out some internal volume and protect the wires from the mag stripe.
On a parking machine type, you have to stick the whole damn card into the slot so that the whole mag stripe goes past the read head. This puts a minimum depth limit on the unit. Also, the mechanics surrounding the mag head make the whole thing thicker. And you need to protect the wires coming out of the mag head.
Can’t go into any further detail, sorry.
Chip and PIN is such the norm in the UK that downgrading (if it were to even work) would be noted at the POS. Certainly I wouldn’t be surprised if it triggered the CC companies fraud detection.
In France it lowers the seller protection. But I find it strange that the magnetic strip content is not signed, maybe there is not enough space to add a signature.
If one can read the strip he read the signature as well and can replicate it. Signature add no security.
The only advantage of magnetic stripe is that it permet direct reading of card information into computer system. Before magnetic stripe there was paper recepts with ink roller stamper. The marchant was giving a copy to the buyer, sent one to credit card company and kept one for himself.
Magnetic stripe add no security only convinience.
Only chip and NIP add security.
A signature would indicate that the bypass is invalid though, and you’ll be forced to use chip. It’s a tiny bit of security in that way.
So erase the signature data?
The old paper metod used a triple layer carbon paper slip. I’ve used them up until something like 2011 and it’s still available in some limited extent. Credit cards still come with the embossed letters, but Visa Electrons don’t.
This is a feature of one of the new Samsung phones, isn’t it?
I’m not surprised there is a “has a chip” bit on the mag stripe, so that the reader can quickly abort a swipe and insist on chip, if available. I *am* surprised that the terminal doesn’t also notify the bank that it HAS a chip reader if the stripe was used so that the bank could abort and insist on chip.
SamsungPay uses the same magnetic coupling scheme…
I doubt it does.
It probably uses NFC which is a standard.
This device uses coupling to the magnetic head reader to simulate a card being swiped, without the need to swipe an actual card. You could do the same encoding a blank magnetic card.
Samsung probably uses 13.56Mhz radio signal using NFC card system, which is built into the back of many high end phones.
Both look similar but this device couples to the magnetic head wires, while NFC uses a specific different coil in the payment terminal. NFC allows a chip like handshake rather than the simpler magnetic data.
It does. Samsung pay supports both NFC and emulated magswipe.
And this is replacing the five magswipe cards currently on my lanyard…
What isn’t mentioned is something I’ve noticed in my neck of the woods is that when you try to use the chip and the damn reader is dirty or something it’ll try then fail and say ‘use stripe’
So you should also be able to force magstripe by artificially creating a bad read on the chip contacts. But I’m not sure if it actually has to somehow see there is a chip or that simply noticing that a card was put in the chipreader but there was no read causes it to switch to stripe. Or in other words if just some sellotape or something on the contacts would do it or if you would need to somehow allow a partial read by disabling just one or two contacts on the chip’s pad.
In my area it still doesn’t help though since as soon as chip was introduced most shops put tape or some such over the magstripe reader so you can’t use it. To force the public to switch.
And incidentally, if you came with such a homemade device as shown here and tried to use a reader they’d have security grab you and they would call the cops I expect. Regardless if the machine said it was OK or not.
You can always pick a card, any card and glue a piece of videotape to it, Then it’s just a matter of recording proper pattern on the card. When magnetic card payphones were popular here, we did that to clone expensive cards. Some people even reverse-engineered information encoded on them to write cards worth couple of hours of talking instead of typical 75 to 300 minutes. When phone company switched to chips, they disassembled the firmware and made PCB cards with microcontroler and some dip switches for mode switching. It not only emulated normal card that never lost its value, but also special cards used by repairmen to access programming and debug functions of the phones.
It’s even simpler than that with chip&pin cards.
If the chip fails, and there’s no magstrip or no slot for it, the cashier can simply type the numbers of the card in the unit and print you a slip to sign.
There isn’t any security in these things that can’t be bypassed by a familiar face behind the counter.
Here, magnetic strips are only accepted in terminals with cashiers that will require you to show your ID.
I was in a DIY shop once where somebody was paying with CC and they not only had to use PIN and chip but also sign and show ID…
I was thinking ‘to hell with that, I’d never use a card that way’
I mean if you got chip and PIN it should suffice, you aren’t going to do the sign+ID song and dance on top of it surely?
I’m surprised they didn’t have to fingerprint and irisscan too.
Meanwhile the CC companies are trying to get more people to use CC in daily life, while at the same time making it a TSA-kind of experience…
Sounds like the cashier didn’t know how to handle it and wanted to be safe rather than sorry?
Or that the communication to the bank was down for the moment?
In any case, it has nothing to do with the technology or credit card companies.
I think it’s because CC cards are so rarely used here in stores that the (in advance) went nuts with checking. But you only scare customers away. And that shop was part of a campaign to get more people to use CC BTW, so it’s odd to get a PR thing going and then making the experience shitty (in my view).
Is chip-and-PIN the end-game in the US? Currently readers are either swipe-and-sign or chip-and-sign, no PIN either way.
Who can tell, it’s all up to some weirdo CEO’s of some big banks. The kind of people who print out their E-mail before reading it. There’s no telling how they envision things.
RIGHT! That’s my experience also. I even called my credit card company and asked them if I could get a Chip and PIN version and they said they did not have the capability to do that. Arghhhhhhhhhhh!
Where I live I don’t need to sign anymore. Most of the time for small amount it is near field reading that’s all. For amount bigger than 50$ or 100$ (depend on marchand) it is CHIP reader + NIP, no signature. I didn’t sign any recept for a long time.
I used my new “corporate card” from work to buy a large amount of steak at a Sam’s Club in the US ($650 purchase), and it required a PIN.
I had to void the sale, so I could step off to side, call Citi, and get a PIN set for the card. Then I was able to make the purchase. With PIN. For smaller purchases at the same store, it does “chip and sign.”
In any case, chip-and-PIN does exist, here. If not common.
It’s pretty cool that you can extract card data visually with iron shavings but… all you needed was a card reader. Emulating the card with a magnetic loop is also pretty neat (although nothing new), but I’m pretty sure criminals just make counterfeit cards using magnetic strip writers and CC information they stole online. That’s the entire purpose of chip and pin, to make it more difficult to counterfeit cards. It shouldn’t be shocking that a merchant will still accept your card if you mod it into saying it’s an “older” card, as long as they’re still accepting them.
The shocking bit to me is that he claims to have cracked American Express’s algorithm for generating new CCNs and can predict what someone’s next CCN will be if they report their current one stolen.
That PCB, has got to be the first example of something that would qualify for the square inch project (almost) that is entirely through-hole componentry.
It also makes a mockery of what the banks are doing over in the US. Then again, I’m old-school, still use a passbook to access my savings, do electronic funds transfer in-branch, and my debit card (from the post office) stays in a drawer at home — it has never seen a magstripe reader, chip reader or RFID reader in my possession.
Why do the machine need to accept both? That doesn’t sound like a very efficient way to making the transition. US credit cards are required to expire within 3 years of issuance, at which point a new card is sent to you.
If the banks start issuing cards with chip+pin and magstrip, all stores can start switching their POS from magstrip to chip+pin 3 years later as everyone will now have a dual-function card and be able to use either machine. Once the stores have all switched (give them a year or two), magstrip can be officially retired and chip+pin only cards can start being issued. With this system there is no need for complicated/expensive dual-method POS machines that will be half-useless after the transition.
The chip&pin system isn’t as mechanically robust as the magstrip, andthe magstrip is a fallback method.
The European version too retains the magstrip even though everyone has had chip&pin cards for a decade now. It’s simply because it works, while the chip often doesn’t. People rub and breathe on and even lick their chips to get them to work sometimes.
Sorry to say, but you don’t actually want Chip and Pin. Here in Canada if fraud happens with the mag stripe, the bank covers you. BUT if fraud happens with the chip and pin YOU pay every penny. It is in every credit card agreement fine print. Visa and Master Card etc.
The mag stripes are to go away in the next year too.
The chips are not secure at all.
how are the chips not secure? they cannot be copied so a thief would have physically get your card and know you pin
Yes he is.
This is true, chip and pin is presented as a security feature for clients but in reality is intended as a liability shift to end clients…
i dont know anyone that buys anything with a payment card IRL. Payment cards are only ever used at the bank to get cash out of an atm. I mean are you honestly going to hand your card to some $3 an hour waitress or bartender so they can carry it off and do god knows what with it?
Quite the opposite here, nobody here carries cash, lots of hipsters with skinny jeans that can’t hold a full wallet, lots of people with phone cases that hold about plastic cards, a quick call to the credit card company can make your card useless to whoever stole it
Also, I would fill up on gas, and then try buying a subway ticket and my bank would text message me a warning, I text 1 back to confirm it was me or 0 if it was fraud
Where I eat, drink, buy or whatever the staff bring the card reader to you – and look away when you type the PIN. They can’t take the card away to some obscure place to cash it because they don’t have the PIN. I don’t have a credit card because I don’t need it – the bank issued card does Visa etc as well as ATM operations. My wallet has a number of cards – but only one that deals with money, the others are membership cards etc.
And you trust the terminal isn’t a dummy keypad set to record your PIN and authorize a larger sum on the real unit under the desk?
If they tried that, they would be detected and arrested in matter of hours. It’s a better idea to record the card and PIN, make a clone and few days later use it at Wailing Wall (ATM), This way it’s impossible to find out, where card was cloned. And victim is screwed twice. Not only he loses all the money from bank account, but bank can claim he withdrew money and now tries to pull off a bank insurance fraud on them.
Yeah, in theory. In practice there’s some anonymous payment processor between the shop and the actual bank, and everybody’s just shrugging at you. There’s no real checks on the system.
I’ve been double-charged many times.
How the scam works is, they let you buy something, and then authenticate the purchase twice, which gives them the proper receits and payment records, and you can’t prove you didn’t do it. Well, technically you could point out that the two purchases happened 5 seconds apart, but you have to take it up to the payment processor to get it reversed because the bank doesn’t care. For them it’s a valid transaction and since “chip&pin is secure” it’s you who’s trying to con them.
Sometimes it isn’t even the shop who cons you, it’s the payment processor who makes random double-dips.
> detected and arrested in matter of hours.
What kind of world do you live in?
That would be rather stupid since the second someone complain about it the police can look up what terminal was used and where the money was transfered
The police doesn’t get involved in POS scams immediately. They tell you to go to the bank, the bank tells you to go to the payment processor, and the payment processor just quietly reverses the extra fee and pretends nothing happened.
I don’t know what you guys are on about.
First of all, the whole hack deals with how to [try to] trick the terminal, NOT the terminal scamming you, which by the way is, at least in the civilized world, not an issue for two reasons:
1. The frequency of it happening
2. Your bank not charging you when it does happen.
Second, well. There is no second point to this.
Well, no. But in some countries there are a lot of wireless (gprs/3g/edge…whatever) terminals that support NFC (paywave, paypass). So the waitress just brings a terminal to the table and I tap it with my card to pay…
I bought my last 2 cars with a debit card (assume this is what you mean by payment card) – GBP 16K and 20K respectively.
> buys anything with a payment card … cash out of an atm
I haven’t carried cash regularly in over a decade. It’s dirty, fiddly, and you have to be constantly worried about having enough on you.
> so they can carry it off and do god knows what with it?
I don’t really care, that’s a problem for whoever employs them, as they are liable for the fraud in the eyes of Visa/AMEX et al. and I will not be on the hook for the money. At least in the US. How the card issuer business arrangement is set up elsewhere in the world I cannot speak to.
It’s not really defeating chip and pin, it does make me not want a swipe strip on the card anymore though! Here’s how behind the US are: I’m 23 and I’ve never used the swipe strip. Nearly all of the UK terminals accept both though.
Only recently have I seen ones which don’t have swipe and they are portable ones which connect to iPad based POS systems via Bluetooth… Bluetooth ffs, I hope they layer some extra encryption on top…
Though I don’t know why we don’t have two separate cards, one with a number to use online / over the phone that can be kept in a safe place, and one with no card number on it just a chip for using in public.
Because the chip fails and then there’s no method to accept payment. The number is on the card so the cashier can type it in manually, and technically even sign it himself.
There’s really no security in these cards that can’t be bypassed by a shopkeeper colluding with the criminals, or because they’re simply careless and trusting.
But I thought the point is that the machine won’t except the strip if it has the bit set to tell the machine to use the chip?
I wonder the failure rate of chip transactions and if the redundancy is necessary. Could they not just put a chip at each end of the card?
If the machine has already detected a failed chip, it says “swipe card” and ignores the bit.
And the chips and the terminals fail -a lot- in practice.
Think about it this way. A regular USB connector is designed to last a minimum of 5,000 insertions which should last a lifetime of the device. A chip&pin terminal can go through a similiar number of transactions in a month, and the chips themselves are only replaced every few years.
The chips bend, bow, corrode, chafe, there’s all sorts of tolerances issues with different cards being different thicknesses, materials, dust and dirt getting into the card slots, people spitting and licking and rubbing their cards with their fingertips to “clean” the chip – It’s frankly a miracle that they work as well as they do at all.
I’m not happy about instructions put out there how to steal the information on a credit card, if I read the original blog correctly. I shop at some places that now use the chip, but I don’t have to put in a PIN or sign; how does that protect my card from being used by anyone if I drop it or leave it somewhere. It doesn’t give me any protection that I can see.
What’s better – hackers making the security problems public knowledge so that banks have to fix it?
Hiding the security problem so that you money gets stolen by a hacker that is going to discover the security problem anyway?
If someone that is not interested in stealing your money can fine a security hole then you can be dam sure that a hacker that wants to steal your money *is* going to find the same security problem.
Most people are good people and to them knowing *how to* hack a credit card is not going to turn them into a criminal.
I’m happy to agree with that; thanks for explaining the justification, which makes sense.
How does the chip fail?
Do you guys use sandpaper lined wallets?
Both my debit cards are over 3 years, use them at least once a day, never had the chip fail on me.
Never ever saw anyone paying with signature, only ‘Murican turrists(and the wanna-be poseurs french that speaks bronken french and yell in portuguese with the 20 kids that are crying because they are taking 30 minutes to pay), and then its a chore because their cards look like they where ran over by 20 trucks, they cause massive delays in checkouts/stores, always the same crap.
In Portugal there is even PayWave, under 20€, hold the card to the reader, but it still prompts for the code, at least where I used it just for giggles.
Checks where used up until 2004-2005, 20 years ago going to the super market and pulling a 200 checks check book always turned some eyes around, but too much scams the called (by direct translation) bald checks led the banks to remove them, my parents still use them, but checks are very expensive, 50-60€ each book of 100.
Get your crap together USA, magstripes are a thing of the past in this broke *ss country, and for you guys OMG BBQ!!11!!one its so complicated -.-
it’s the account that contains a bit to also show it is chip and pin, so it still asks for pin, am i the only one here that actually has tried this and when you swipe a card with chip and pin it still asks for pin because the ACCOUNT requires it.
oh wait, you guys are discussing CREDIT cards and not bank cards?
… thats what happens when you insert a CREDIT card into an electronic reader instead of a BANK card like your supposed to! around here we call P.O.S. terminals bank terminals not credit terminals, and for a reason.
lucky thing; credit cards these days charge more interest then the damm thieves anyway.
It defeats nothing.
1. The POSi has to allow mag-stripe only via the service code this changes. The POS or provider doesn’t control this except in some failure stages.
2. This does nothing with chip&pin in does electro-magnet spoofing against the analog header used for magstripe readers
3. US chip&pin systems ignore the bit so it doesn’t even matter right now and probably won’t later do to vendor firmware
4. This is why I can’t stand hax0r news by blogs that make money off sales and ads.. IT’S A NICHE QUICK POST IT!!!
Prediction: It’ll make it to mainstream news and eventually someone people listen to will point out exactly what I and others have and it’ll fade away..
I have one which is 0% for the next couple years (then I’ll close it) and one which is about 6%. Hardly criminal! I use the CC for larger or more shady transactions because you’re better protected. But I do use the debit card more often.
For some reason this ended up below xorpunk when I clicked reply below NewCommentor1283s post!
This will not work with multitrack cards, or readers that have physical card detection obviously. I’d guess that parking meters or hotel locks that you insert you card into are of this type. Also publicly accessible card readers are usually metal cased, so I’d be quite hard to induce enough current in read head.
However inserting card with coil embedded (I’d be cool to reuse coil embedded in NFC cards that are getting momentum in Europe) should give better coupling.
In Finland, if the card has a chip non of the pay terminals shall accept the stripe. This might work with ATMs without on-line verification. AND although some might not count Finns as Europeans most of us do carry credit cards around constantly. This is more or less mandated as we do no longer have traditional payment cards. All new cards are equipped with electronic ID as well as the NFC payment chip. Basically all our electronic payments are now credit/debit based and electronically supervised.
The heading is somewhat misleading though. The trick doesn’t defeat the ID and PIN, just allows for some not-up-to-date payment terminals accept the signature option where it should not work. This actually happened to me back in time when the technology was new and the shop keeper used the old style manual payment card method and signature. The bank bounced the paper transaction form when they tried to cash it and they had to sent me a separate invoice together with an apologizing letter, which I was kind enough to pay…
The headline is definitely misleading in this post, its not defeating chip and pin its just forcing the card to be used a different way.
All terminals in the UK accept both chip and pin and the magstripe, I’ve been hoiping they’ll do away with the magstripe eventually so cards can be physically smaller. They don’t need to be so big anymore!
Technically even chip and pin is becoming old hat with the limit on contactless payments being increased all the time.
Dont say ” Europe” . europe has no unified system . I know because I’m french and I lived in some countries in europe. They are many things true for one country and arent for the other in term of banking. I’ve been playing with cards since 1995. The US didnt wanted to use Chip card for a very stupid reason as usual: chip security on card is a french brevet, and the US couldn’t stand to buy or exploit some other country technology. Now it’s public domain , that’s why they are 30 years late. Also in 1995 I could get money from an ATM with a simple copy of the mag stripe of french card ( meaning chip + pin) in France. That was because visa means worldwide, and so because many countries used old unsecure technology, ATM had to be able to downgrade the transaction to only use mag stripe. But early in the 2000 it didnt worked anymore: If the card was identified as issued by a french bank (thanks to the 4 first number ex 4976 , 4973 ) then the ATM would refuse the use of magstripe. And it is as such here now even on POS : if your card is french, it means it does have PIN+chip so the POS or ATM refuse to read the mag . I Tried many times: if you swap it, it ask you to use the chip and wont allow the transaction. So in a word the magstripe on french issued visa card is only there because it’s an international card and it can be use in some low technology countries but its use is disabled in the country where the card was issued.
So I read something here about bar tender swiping card and jamming of line.. Doesnt exist here:as I said mag stripe is disabled, but also even 15y ago when it wasnt, simple reason : we rely on the very secure chip: there is no communication with the bank for basic visa card ( not electron card): the security is in the chip itself, and the bank allow any transaction up to 75 euros to be accepted if PIN is ok.( that kind be changed by the merchant but usually is not so it speeds up transaction) In other european country ( like east countries where people are poor and unlikely to have 75 euro on their account), even if the card is a basic visa card, the bank is asked for authorisation for any transaction of any amount.exactly like a poor electron visa card.
the only way to cheat in France is to use “Yescard” , thanks to the fact that small amount arent checked online, you can emulate an EMV into a chip, that you will program to “say” : ” ok the user entered the correct PIN, allow transaction” for any 4 digit that the user enter. Dont even need to be a real 16 card number, and ATM will pay. The money belonging to virtually ” nobody “. But of course security is changed like yearly in this domain specially in France with so many chip card engineers and companies like Gemalto/Oberthur
My first thought was Uh?
Why would the magnetic strip have an indicator if the card has a chip.
Here in the UK the procedure is simple, put your card in the machine to use Chip and Pin. If reading the chip fails then revert to swiping the card.
However I figured out why you would have such data on the stripe. If the retailer chooses to swipe a card that has a chip the liability is 100% on them so their system could refuse to accept a swiped card if the card is equipped with a chip.
yep that’s why in France if your card is issued by a french bank , the stripe is deactivated on ATM and POS. if the chip is fu*** then too bad you need to get a new card but you wont be able to swipe. That security is going to be applied in all countries soon to enforce the solely use of chip on domestic soil. Stripe will be used only when you go to some exotic /third world countries where not 100% of their bank issue chip card.
I travel a lot and use credit cards In the US, Canada, Mexico, Germany and the Netherlands regularly.
Security is wildly variable. At big hotels in Mexico they take an ‘Impression’ of the card lettering by laying paper over it and rubbing it with the side of a black crayon. The first time I saw this I asked if the system was down and the desk clerk said ‘This is the system’.
you must be pretty young to be surprise by that. When visa payment card were invented in the 80’s , that was how it worked everywhere . ( well ok maybe not rubbing pencil but the principle is the same , and as a check , it doesnt matter if the paper is official (carbon paper) or random blank paper , it has the same legal value) your bank would engraved a little piece of steel with your name and bank number (for you the merchant), and it was placed inside the ” fer à repasser ” and so the carbon paper is imprinted with both the embossed card numbers and the merchant plaque. then you give that paper to your bank( as the merchant) and they process the payment. Just like for a check. Didnt you even asked yourself why some Visa are embossed and card like Maestro or Electron arent? well thats because of that: with a visa like electron the bank doesn’t allow any “credit line” : so you cant use it with a “fer a repasser” which is in a way ” a credit line” as you just sign a piece of paper, only someone rich enough could get a real embossed card, so it meant : no need to check if funds are on his account , we, the bank, say that guy is good for it. Whereas on the visa electron card, the bank says, no no, this guy is too poor, we wont trust him, so we cant allow him to sign a bill if we havent check the money is available, so you can rubbed the number. It ‘s just like a check. That kind of system is still used in poor countries, or where there is no electricity.
This is why I like my coin 2.0 card. it is mag stripe and NFC.
but it is only active until I wake the card up and can not be skimmed until I wake it up.
also it locks when it is not in range of my phone.
So if some one steals it, it is useless.
so far 99% of the updated POS systems work with it that I have used it in the US.
Changing the first digit of the service code from a 2 to a 5 doesn’t disable or defeat EMV. It just means the terminal or POS you’ve used it at isn’t aware the card should be dipped and will attempt to process it as a mag strip transaction. The bank that issued the card is ultimately responsible for approving the transaction and if the service code they receive is incorrect they could interpret it as fraud. Provided that transaction actually reaches the issuing bank to be approved of course which is a tale for another day…
Also EMV is designed to be a suite of security features that enables protection for the cardholder and bank from a variety of fraud through several means including verifying everything about the transaction. The issuing bank can verify the card is authentic based on the request cryptogram it generates. The card holder can be verified by either the card or the issuing bank based on the PIN entered during the transaction. The card can even verify if an approved response came from the issuer based on the response cryptogram returned by them.
The problem with the US implementation is someone decided the US market only really cares about protecting against counterfeit cards leading to a very anemic solution at least initially which is basically chip + signature or chip + no Cardholder Verification Method. I imagine this is at least partially an attempt to ease merchants into accepting chip cards without completely changing the way they do business. For instance chip + PIN being a requirement could create a problem for fine dining restaurants because they would need to either implement pay at the table devices (if even an option from their POS vendor), use stand alone terminals for pay at the table, or make folks walk their butts up to a counter which may not even exist today.
As far as MagSpoof goes I’ve see similar projects before but love the tiny minimal design :) and yes commercial products exist that do basically the same thing (for instance Loop Pay which I believe was purchase by Samsung and incorporated into Samsung Pay) but who cares.
HOW IS THIS POSSIBLE TO TURN OFF BITS ON MAG STRIPE THAT LETS YOU SWIPE LIKE THE OLD CARD???I DON’T THINK IT IS POSSIBLE
“It’s all brilliant work, and although the code for the chip and PIN defeat isn’t included in the repo, the documents that show how that can be done exist.”
where what is the code
Please be kind and respectful to help make the comments section excellent. (Comment Policy)